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ABSTRACT 

A  method  for  making  aspects  of  a  computational  model  explicit  in  the  formulas  of  a  pro¬ 
gramming  logic  is  given.  The  method  is  based  on  a  new  notion  of  environment — an  en¬ 
vironment  augments  the  state  transitions  defined  by  a  program’s  atomic  actions  rather  than 
being  interleaved  with  them.  Two  simple  semantic  principles  are  presemed  for  extending  a 
programming  logic  in  order  to  reason  about  executions  feasible  in  various  environments. 
The  approach  is  illustrated  by  (i)  discussing  a  new  way  to  reason  in  TLA  and  Hoare-style 
programming  logics  about  real-time  and  by  (ii)  deriving  the  first  TLA  and  Hoare-style  proof 
rules  for  reasoning  about  schedulers. 


This  material  is  based  on  work  supported  in  part  by  the  Office  of  Naval  Research  under  contract  N00014-91-J-1219, 
AFOSR  imder  proposal  93NM312,  the  National  Science  Foundation  under  Grant  No.  CCR-8701103,  and  DARPAyNSF 
Grant  No.  CCR-9014363.  Any  opinions,  findings,  and  conclusions  or  recommendations  expressed  in  this  publication  are 
those  of  the  author  and  do  not  reflect  the  views  of  these  agencies.  Umor  Fix  is  also  supported,  in  part,  by  a  PuUbright  post¬ 
doctoral  award. 
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1.  Introduction 

What  behaviors  of  a  concurrent  program  are  possible  may  depend  on  the  scheduler,  instruction 
timings,  and  other  aspects  of  the  environment  in  which  that  program  executes.  For  example,  consider 
the  program  of  Figure  1.1.  Process  P  i  executes  an  atomic  action  that  sets  y  to  1  followed  by  one  that 
sets  y  to  2.  Concurrently,  process  executes  an  atomic  action  that  sets  y  to  3.  If  all  behaviors  of 
this  concurrent  program  were  possible,  then  the  final  value  of  y  would  be  2  or  3.  The  environment, 
however,  may  rule  out  certain  behaviors. 

•  Suppose  P 1  has  higher-priority  than  P  2  and  the  environment  selects  between  executable  atomic 
actions  by  using  a  priority  scheduler.  Behaviors  in  which  actions  of  P2  execute  before  those  of 
P I  are  now  infeasible,  and  the  final  value  of  y  cannot  be  2. 

•  Suppose  the  environment  uses  a  first-come  first-served  scheduler  to  select  between  executable 
atomic  actions.  Behaviors  in  which  P2  executes  after  the  second  action  of  P 1  are  now  infeasi¬ 
ble,  and  the  final  value  of  y  cannot  be  3. 

Thus,  changing  the  environment  can  affect  what  properties  a  program  satisfies. 

Programming  logics  usually  axiomatize  program  behavior  under  certain  assumptions  about  the 
enviroTunent.  Logics  to  reason  about  real-time,  for  example,  axiomatize  assumptions  about  how  time 
advances  while  the  program  executes.  These  assumptions  abstract  the  effects  of  the  scheduler  and  the 
execution  times  of  various  atomic  actions.  A  logic  to  reason  about  the  consequences  of  resource  con¬ 
straints  would  similarly  have  to  axiomatize  assumj^ons  about  resource  availability. 

If  assumptions  about  an  environment  are  made  when  defining  a  programming  logic,  then 
changes  to  the  environment  may  require  changes  to  the  logic.  Previously  feasible  behaviors  could 
become  infeasible  when  the  assumptions  are  strengthened;  a  logic  for  the  original  environment  would 
then  be  incomplete  for  this  new  environment  Weakening  the  assumptions  could  add  feasible 
behaviors;  the  logic  for  the  original  enviromnent  would  then  become  unsound.  For  example,  any  of 
the  programming  logics  for  shared-memory  concurrency  (e.g.  [OG76])  could  be  used  to  prove  that 
program  of  Figure  1.1  terminates  with  y=2  or  y=3.  But,  these  logics  must  be  changed  to  prove  that 
y  =2  necessarily  holds  if  a  first-come  first  served  scheduler  is  being  used  or  that  y =3  necessarily  holds 
if  a  priority  scheduler  is  used.  As  another  example,  termination  of  the  program  in  Figure  1.2  depends 
on  whether  unfair  behaviors  are  feasible.  (Usually  fiiey  are  not.)  Logics,  like  the  temporal  logic  of 
[MP89],  that  assume  a  fair  scheduler  become  unsound  when  this  assumption  about  the  environment  is 
relaxed. 


cobegin 

P,:  y:=l;  y:=2 
// 

P2: 

coend 

Figure  1.1.  A  concurrent  program 
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cobegin 

Pi',  b '.-false 
// 

P2:  dob  -*  skipod 
coend 

Figure  1.2.  Teimination  with  fairness 

This  paper  explores  the  design  of  programming  logics  in  which  assumptions  about  the  environ¬ 
ment  can  be  given  explicitly.  Such  logics  allow  us  to  prove  that  all  feasible  behaviors  of  a  program 
satisfy  a  property,  where  the  characterization  of  what  is  feasible  is  imw  explicit  and  subject  to  change. 
We  give  two  semantic  principles — program  reduc^on  and  property  reducdon — ^for  extending  a  pro- 
grarruning  logic  so  that  explicit  assumptions  about  an  environment  can  be  exploited  in  reasoning. 
These  principles  allow  extant  programming  logics  to  be  extended  for  reasoning  about  the  effects  of 
various  fairness  conditions,  schedulers,  and  models  of  leal-dme;  a  new  logic  need  not  be  defined 
every  time  a  new  model  of  computation  is  postulated.  We  illustrate  the  apfdication  of  our  two  princi¬ 
ples  using  TLA  [L91]  and  a  Hoare-style  Proof  Outlir^  Logic  [S94].  In  TLA,  programs  and  properties 
are  both  represented  using  a  single  language;  in  Proof  Outline  Logic  fiiese  two  languages  are  distinct. 

The  remainder  of  this  paper  is  structured  as  follows.  In  section  2,  our  program  and  property 
reduction  principles  are  derived.  Then,  in  section  3,  program  reduction  is  ^lied  to  TLA.  In  section 
4,  property  reduction  is  used  to  drive  an  extension  to  a  Hoare-style  logic.  Section  5  puts  diis  work  in 
context.  The  appendix  contains  the  comjdeteness  proof  for  the  extended  Hoare-style  logic. 

2.  Formalizing  and  Exploiting  the  Environment 

A  programming  logic  comprises  a  sound  tmd  complete  deductive  system  for  verifying  that  a 
given  program  satisfies  a  property  of  interest.  We  write  (5,  'lOe  to  denote  that  a  program  S 
satisfies  a  property  4*;  each  programming  logic  wiU  have  its  own  syntax  for  saying  this.  In  any  given 
programming  logic,  a  program  language  is  used  to  ^cify  S  and  a  property  language,  perhaps  identi¬ 
cal  to  the  program  language,  is  used  to  specify  *V. 

Usually,  both  the  program  S  and  the  propeny  'F  define  sets  of  behaviors,  where  a  behavior  is  a 
mathematical  object  that  encodes  a  sequence  of  state  transitions  resulting  from  program  execution, 
and  a  state  is  a  mapping  from  variables  to  values.  Notice  that 

•  the  set  H  5  ]]  of  behaviors  for  a  program  S  constrains  only  the  values  of  program  vatiables^  and 

•  the  set  14'  I  of  behaviors  for  a  property  4'  may  also  constrain  the  values  of  variables  that  are 

not  program  variables. 

A  program  S  satisfies  a  property  4'  exactly  when  all  of  the  behaviors  of  S  are  behaviors  permit¬ 
ted  by  4': 


'Program  variables  include  all  those  declared  explicitly  in  the  program  as  well  as  others,  like  program  counters  and 
message  buffers,  concerning  aspects  of  the  state  implicitly  involved  in  executing  the  program. 
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(S,  'F>6  Sat  if  and  only  if  JS  Id  I 


(2.1) 


The  environment  in  which  a  program  executes  defines  a  prt^rty  too.  This  property  contains 
any  behavior  that  is  not  precluded  by  one  or  another  aspea  of  the  environment.  For  example,  a  prior¬ 
ity  scheduler  precludes  behaviors  in  which  atomic  actions  from  low-priority  {xocesses  are  executed 
instead  of  those  from  high-priority  processes.  As  another  example,  the  mvironment  mi^t  define  the 
way  a  distinguished  variable  time  (say)  changes  in  successive  states,  taking  into  account  the  processor 
speed  for  each  type  of  atomic  action. 

For  E  the  property  defined  by  the  environment,  the  feasible  behaviors  of  a  program  5  under  E 
are  those  behaviors  of  S  that  are  also  in  £:  |[  5  lnl[£  ]).  A  program  S  satisfies  a  property  4^  under  an 
environment  E,  denoted  (5,  £,  *F>  e  ESat,  if  and  only  if  every  feasible  behavior  of  S  under  £  is  in  T: 

<S,£,40e£S<2/  if  and  only  if  (I[51nI£]I)d'Fl  (2.2) 

Thus,  a  sound  and  complete  deductive  system  for  verifying  CS,£,  *F>6  ESat  would  permit  us  to 
prove  properties  of  programs  under  various  assumptions  about  schedulers,  execution  times,  and  so  on. 

Defining  a  separate  logic  to  prove  <5,  £,  4')e  £Sar  is  not  always  necessary  if  a  logic  to  prove 
(5 ,  H')  e  Sat  is  available.  For  properties  <t>  and  'F,  let  property  On'F  be  |I  Inf  'F  J  and  let  property 
<I>u^  be  I O  Iu|[  *F  I.  Then,  one  reduction  from  ESat  to  Sat  is  derived  as  follows. 

<5,  £,  'F>e  ESat 
iff  «definition  (2.2)  of  £5ar» 

(|[Sln|[£l)cl['FI 
iff  redefinition  (2. 1)  of  Sat* 

<Sn£,'F>€Sar 

Thus  we  have: 

Program  Reduction:  <5,  £,  40  €  ESat  if  and  only  if  (Sn£,  40  e  Sat.  (2.3) 

Program  Reduction  is  useful  if  the  logic  for  <5, 40€  Sar  has  a  program  language  that  is  closed  under 
intersection  with  the  language  used  to  define  environments.  Section  3  shows  fiiis  to  be  the  case  for 
Lamport’s  TLA;  it  is  also  the  case  for  most  other  temporal  logics. 

A  second  reduction  from  ESat  to  Sat  is  based  on  using  the  environment  to  modify  the  property 
(rather  than  the  program). 

<S,  £,  4'>€  ESat 
iff  redefinition  (2.2)  of  ESat* 

(|[SIn|I£I)cII'Fl 

iff  reset  theory* _ 

|[Slc(II'F])uI£I) 
iff  redefinition  (2.1)  of  Sat* 

<S,'Fu£>6  5ar 

This  proves: 

Property  Reduction:  (S,  £,  40  e  ESat  if  and  only  if  (S,  4'u£)  e  Sat,  (2.4) 

Property  reduction  imposes  no  requirement  on  the  program  language,  but  does  require  that  the  pro¬ 
perty  language  be  closed  under  union  with  the  complement  of  properties  that  might  be  defined  by 
environments.  An  example  of  a  logic  whose  property  language  satisfies  this  closure  condition  is 
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CTL*  [EH86]. 

When  i^ither  reduction  principle  applies,  then  we  can  reason  about  the  effects  of  an  environ¬ 
ment  by  extending  the  logic  being  used  to  establish  (S,  4^)  €  Sat.  Extensions  to  the  program  language 
allow  Program  Reduction  to  be  applied;  extensions  to  the  property  language  allow  Property  Reduc¬ 
tion  to  be  applied.  Section  4  illustrates  how  this  might  be  done,  by  exteiKling  the  property  language 
of  a  Hoare-style  logic  called  Proof  Outline  Logic. 

3.  Environments  for  TLA 

The  Temporal  Logic  of  Actions  (TLA)  is  a  linear-time  temporal  logic  in  which  programs  and 
properties  are  represented  as  formulas.  Thus,  the  program  language  and  property  language  of  TLA 
are  one  and  the  same.  This  single  language  includes  the  usual  propositional  connectives,  and  the 
TLA  formula  F  a  G  defines  a  property  that  is  the  intersection  of  the  properties  defined  by  F  and  G. 
TLA  is,  therefore,  an  ideal  candidate  for  Program  Reduction. 

3.1.  TLA  Overview 

A  TLA  state  predicate  is  a  predicate  logic  formula  over  some  variables.^  The  usual  meaning  is 
ascribed  to  s^p  for  a  state  s  and  a  state  predicate  p:  when  each  variatde  v  inp  is  replaced  by  its  value 
s(v)  in  state  s,  the  resulting  formula  is  equivalent  to  true.  For  example,  in  a  state  s  that  maps  y  to  14 
and  z  to  22,  jNy-i-1  <2  holds  because  j(y)-H  <j(z)  equals  14+1  <22,  which  is  equivalent  to  true. 

A  TLA  action  is  a  predicate  logic  formula  over  unprimed  variables  and  primed  variaUes. 
Actions  are  interpreted  over  pairs  of  states.  The  unprimed  variables  are  evaluated  in  the  first  state  s  of 
the  pair  (s,  t)  and  the  primed  variables  are  evaluated,  as  if  unprimed,  in  the  second  state  r  of  the  pair. 
For  example,  if  s(y)  equals  13  and  t(y)  equals  16  then  (s,  t)^y+l<y'  holds  because  5(y)+l  <r(y)  is 
equal  to  13+ 1  <  16,  or,  true. 

In  order  to  facilitate  writing  actions  that  are  invariant  under  stuttering,  TLA  provides  an  abbre¬ 
viation.  For  action  A  and  list  x  of  variables  x\,X2 . x,,  the  action^  [.%  is  satished  by  any  pair 

is,  t)  of  states  such  that  is,  t)^^  or  the  values  of  the  x,-  ate  unchanged  between  s  and  t.  Writing  x'  to 
denote  the  result  of  priming  every  variable  in  x,  we  get: 

V  x=x’ 

TLA  actions  define  state  transitions.  Therefore,  they  can  be  used  to  describe  the  next-state  rela¬ 
tion  of  a  concurrent  program,  a  single  sequential  process,  or  any  piece  thereof.  For  this  purpose,  it  is 
useful  to  define  a  state  predicate  satisfied  by  any  state  from  which  transition  is  possible  due  to  an 
action  A  That  state  predicate,  Enbli^,  is  defined  by: 

s^EnbliS^  if  and  only  if  Exists;:  (j,  r)N.Jl 

Each  formula  C>  of  TLA  defines  a  property  I  C>1,  which  is  the  set  of  behaviors  that  satisfy  O, 
where  a  behavior  is  represented  by  a  sequence  of  states.  Let  o  be  a  behavior  so  J 1  ••• .  let  p  be  a  state 
predicate,  let  be  an  action,  and  let  x  be  a  list  of  variables.  The  syntax  of  the  elementary  formulas  of 


assume  that  variable  names  do  not  contain  the  character (prime). 

^TLA  actually  allows  subscript  X  to  be  an  arbitrary  state  function  whose  value  will  remain  unchanged. 
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TLA,  along  with  the  property  defined  by  each,  is: 


oellpll  iff 

o  e  II  □  [ 1  iff  For  all  i,  j  SO:  (j,-,  sm  )N 

The  remaining  formulas  of  TLA  are  formed  from  these,  as  follows.  Let  O  and  4*  be  elementary  TLA 
formulas  or  arintrary  TLA  fonnulas. 

oe  [-lO]  iff  oiE  lO] 

oeI<Dv'FI  iff  oedOluir'Fl) 

oe|[<I>A4'l  iff  oe  (II<I>lr>|I4'l) 

oe  |[<I>^4']I  iff  0€l-i<I>v4'l 

o  6  I  DO  5  iff  For  all  i,  i  SO:  s,  j,+i  ...^O 

oe  10^1  iff  oe 

A  TLA  formula  O  is  valid  if  and  only  if  for  every  behavior  o,  oe  |I<I>I1  holds.  Validity  of 
<I>  =>  4*  implies  that  every  behavior  o  is  in  H  <I> 4*  J.  From  the  definiticm  above  for  o e  I  d>  =*  4^  J, 
we  have  that  if  O  =>  4^  is  valid  then  every  o  in  H  <I> U  is  also  in  1 4*  J.  Accordingly,  we  conclude: 

<I>  =>  4*  is  valid  if  and  only  if  <<I>,  4^  e  So/  (3.1) 

To  prove  that  a  program  S  satisfies  a  property  4*  using  TLA,  we 

(1)  construct  a  TLA  formula  0$  such  that  I O5 1  is  the  set  of  behaviors  of  S,  and 

(2)  prove  <l>s  =>  4'  valid. 

As  an  example,  we  return  to  the  program  of  §  1.  It  is  reproduced  in  Figure  3.1,  with  each  atomic 
action  labeled.  The  TLA  formula  O5  that  characterizes  behaviors  for  this  program  is 

05:  /mts  An[.%]y.pc,./K:,  (3-2) 

where  Inits  is  a  state  predicate  defining  initial  states  of  the  program’s  behavior  and  .%  is  a  TLA 
action  that  characterizes  the  program’s  next-state  relation.  In  defining  the  effect  of  each  auxnic 
action,  variable  pc,  denotes  the  program  counter  for  process  Pi  and  value  "i"  is  assumed  to  be  dif¬ 
ferent  from  the  entry  (control)  point  for  any  atomic  action  of  the  program. 

cobegin 

Pii  a-  y  :=  1; 
p:  y  :=2 

// 

P2:  r-  y:=3 
coend 

Figure  3.1.  A  concurrent  program 
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Inits'.  pc i=a A pc2=y 

V  Ay 

Ax',  pc i^a  A  pci'=p  A  y'=l  A  pc2=pc2 
/7Ci=p  A  pci'=i  A  y'=2  a  pc2=pc2 
Ay'.  pc2=y  A  pC2'=i  A  y'=3  A  pc\=pcx 

3.2.  Exploiting  an  Environment  with  TLA 

If  the  property  defined  by  an  environment  can  be  characterized  in  TLA,  then  Program  Reduc¬ 
tion  can  be  used  to  reason  about  feasible  behaviors  under  that  environment.  We  prove  0  a  £  'F  to 
establish  that  behaviors  of  the  program  characterized  by  <I>  under  the  environment  characterized  by  E 
are  in  the  property  characterized  by  4*: 

A  £  ^  *F  is  valid 
iff  ^definition  (3.1)* 

<<I»A£.‘F)e5ar 

iff  ^(definition  (2.1)» 

II<Da£]1c|[4']1 
iff  «|I£  AG]l=l[£]ln|IG]|)» 

(II«I>]ln|I£]l)ci['F]l 
iff  «definition  (2.1)» 

<4>n£. 'F)€  Sar 

iff  ((Program  Reduction  (2.3)» 

<<D,£,'F>e£5a/ 

The  utility  of  this  method  depends  on  (i)  being  able  to  prove  ^  a  £  =>  *P  when  it  is  valid  and 
(ii)  being  able  to  characterize  in  TLA  those  aspects  of  environments  that  interest  us.  A  complete 
deductive  system  for  TLA  (see  [L91],  for  example)  will,  by  definition,  be  complete  for  proving 
O  A  £  ^  4*.  In  fact,  this  is  one  of  the  advantages  of  using  Program  Reduction  to  extend  a  complete 
proof  system  for  Sat  into  a  proof  system  for  £Sflr— the  complete  proof  system  for  ESat  comes  at  no 
cost.  Examples  in  the  remainder  of  this  section  convey  a  sense  for  how  an  environment  is  represented 
by  a  TLA  fonnula. 

3.3.  Schedulers  as  TLA  formulas 

If  there  are  more  processes  than  processors  in  a  computer  system,  then  processors  must  be 
shared.  This  sharing  is  usually  implemented  by  the  scheduler  of  an  operating  system.  To  use  Pro¬ 
gram  Reduction  with  TLA  and  reason  about  execution  of  a  program  under  a  given  scheduler,  we 
write  a  TLA  fonnula  £  to  characterize  that  scheduler. 

Many  schedulers  implement  safety  properties — ^they  rule  out  certain  assignments  of  processors 
to  processes.  Formalizations  for  these  schedulers  have  much  in  common.  Let  n  be  the  set  of 
processes  to  be  executed  in  a  system  with  N  processors.  For  each  process  x,  two  pieces  of  informa¬ 
tion  are  maintained  (in  some  form)  by  a  scheduler 

active ji'.  whether  there  is  a  processor  currently  allocated  to  Jt 

rank^'.  a  value  used  to  determine  whether  a  processor  should  be  allocated  to  it 
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Only  a  single  atomic  action  from  one  process  can  be  executed  at  any  time  by  a  processor.  This 
restriction  is  formalized  as  predicate  Alloc  (N),  which  bounds  the  number  of  processes  to  which  N 
processors  can  be  allocated  at  any  time:^ 

AllociN):  (IfneTl:  active 

The  restriction  that  processes  that  have  processors  allocated  are  the  only  ones  that  advance  is 
fonnalized  in  terms  of  the  next-state  relation  for  a  process  n.  We  assume  that  tlKse  next-state 
relations  are  disjoint. 

Pgrs(n):  J?*  =>  active  ^ 

Finally,  we  formalize  as  Run(n)  the  requirement  that  active^  holds  only  for  those  processes 
with  sufficiently  large  rank. 

Run(n):  activeK=>  \larger(ii)\<N 
where: 

larger{Ti):  { vf  \  rank^  <  rankj^ ) 

In  a  fixed-priority  scheduler,  there  is  a  fixed  value  v,  associated  with  each  process  ic.  A  process 
that  has  not  tenninated  and  has  higher  priority  is  executed  in  preference  to  a  process  having  a  lower 
priority.  This  is  ensured  by  assigning  ranks  as  follows. 

Prio(n):  (pcj^^l  =>  (rank^^v^))  a  (pc^^i  =>  (ran^«=0)) 

A  fixed-priority  scheduler  is  thus  characterized  by 

FixedPrio:  0[Alloc(,N)  a  (Vne  11:  Pgr5(n)  a /?«n(jt)  a  Fri’o(7i))k 

where  x  is  a  list  of  all  the  variables  in  the  system.  For  example,  x  for  the  program  of  Figure  3. 1  would 
have  pc  i,  pc  2,  y,  activep^ ,  rankp^ ,  activep^,  and  rankp^. 

In  a  first-come  first-served  scheduler,  processes  are  ranked  in  accordance  with  elapsed  time 
since  last  executed.  We  can  model  this  by  assigning  ranks  that  are  increased  for  processes  that  have 
not  had  an  action  executed. 

Agg(n):  (Vtc  e  11:  (Jin  (>'ankn'=0y)  a  (-i  ^  (rankn  =rankn+ 1))) 

A  first-come,  first-served  scheduler  is  therefore  characterized  by 

FCFS:  (Vjte  n:  rankR=0)  a  □[Altoc(iV)  a  (Vtc e  11:  Pgrs(TC)  a /?un(tt))  a  Age(n)]j 
where  x  is  a  list  of  all  the  variables  in  the  system. 

Both  of  these  schedulers  can  allocate  a  processor  to  a  process,  even  though  that  process  may  be 
unable  to  make  progress.  It  is  wasteful  to  allocate  a  processor  to  process  it  when  Enbl(Fin)  does  not 
hold  (because  ic  has  terminated  or  because  its  next  atomic  action  is  not  enabled).  A  variant  of  Fix¬ 
edPrio  that  allocates  processors  only  to  non-terminated  and  enabled  higher-priority  processes  is: 

EnblFixedPrio:  0[Alloc(N)  a  (Vtte  11:  Pgrs(7t)  A/?«n(7c)  A£nb/Prib(7t))]j 
where 


^We  use  the  notation  (#x  eP:  R)  for  "the  number  of  distinct  values  of  x  in  P  for  which  R  holds". 
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EnblPrioin):  iEfU)li^)=>(rank^=Vn))  a  (-i£/iZ)/(;^)  (rartA*=0)) 

As  before,  J  is  a  list  of  all  the  variables  in  the  system. 

A  difficulty  with  assigning  fixed  priorities  to  processes  is  that  execution  of  a  high-priority  pro¬ 
cess  can  be  delayed  awaiting  progress  by  processes  with  lower-priorities.  For  example,  suppose  a 
high-priority  process  it//  is  awaiting  some  lock  to  be  freed,  so  izh  is  not  enabled.  If  that  lock  is  owned 
by  a  lower-priority  process  ni,  then  execution  of  %  cannot  proceed  until  executes.  This  is  known 
as  a  priority  inversion  [SRL90][BMS93],  because  execution  of  a  high-priority  process  depends  on 
resources  being  allocated  to  a  lower-priority  process. 

Priority  Inheritance  schedulers  give  preference  to  low-priority  processes  that  are  blocking 
high-priority  processes.  This  is  done  by  changing  process  priorities.  The  low-priority  process  inher¬ 
its  a  new,  higher  priority  from  any  higher-priority  process  it  blocks.  Priority  inheritance  schedulers 
exhibit  improved  worst-case  response  times  in  systems  of  tasks  [SRL90],  and  they  have  become 
important  in  the  design  of  real-time  systems. 

A  priority  inheritance  scheduler  must  know  what  processes  are  blocked  and  how  to  unblock 
them.  In  systems  where  acquiring  a  lock  is  the  only  operation  that  blocks  a  process,  deducing  this 
information  is  easy:  execution  of  the  process  that  has  acquired  a  lock  is  the  only  way  that  a  process 
awaiting  that  lock  becomes  unblocked. 

To  describe  systems  with  locks  in  TLA,  we  employ  a  variable  locki  for  each  lock;  TLA  actions 
for  acquiring  and  releasing  a  lock  by  process  k  are: 

acquire(bcki,  Jt):  locki^FREE  a  locki  =7t 

release  (locki):  locki-FREE 

Notice  that  locki-FREE  is  implied  by  Enbl(^)  when  process  it  is  waiting  to  acquire  locki. 

In  a  priority  inheritance  scheduler,  each  process  it  is  assumed  to  have  a  priority  v„.  The  rank  of 
a  process  it  is  the  maximum  of  v„  and  the  priorities  assigned  to  processes  that  are  blocked  by  it. 
Thus,  rankjf  is  the  maximum  of  Vp  for  the  process p  satisfying  locki-p  (i.e.  the  priority  of  the  current 
lock  holder)  and  v,  for  the  process  q  satisfying  Enbl(p)=^(locki=FREE)  (i.e.  the  priority  of  the  pro¬ 
cess  attempting  to  acquire  locki).  For  simplicity,  we  assume  a  system  having  a  single  lock,  lock. 

PrioInher(n):  =>  (rank„=0))  a 

(iock—%  A  Enbl(JH^) 

=>  (ran/t,i=(max  p  e  FI:  (Enblip)  =>  lock-FREE)  v  lock—p:  Vp)))  a 
(lock*ii  A  Enbl(An)  =>  (ra/il:K=v„))]j 

Again.  J  is  a  list  of  all  the  variables  in  the  system.  A  priority  inheritance  scheduler  is  thus  character¬ 
ized  by 

InhPrio:  0[Alloc(N)  a  (Vxe  fl:  /’grs(ii)  A/?Mn(it)  A/*r/o/nAer(it))]j 

Not  all  schedulers  are  safety  propeities.  Even  schedulers  that  implement  safety  properties  are 
often  abstracted  in  programming  logics  as  implementing  (weaker)  liveness  properties.  Such  a  live¬ 
ness  property  gives  conditions  under  which  an  action  or  process  will  be  executed  eventually.  A  sim¬ 
ple  example  is  the  following,  which  implies  that  an  enabled  process  with  sufficiently  high  priority 
will  execute. 

FAIR :  (Vrce  Tl:  On(Jie  TOP(n,  H)  a  Enbl(n)):  -lOD [-.  I^tk) 
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Other  examples  of  such  liveness  properties  include  weak  fairness  WFjiA)  and  strong  fairness  SFj(^ 
ofTLA. 

TLA  Reasoning  about  Schedulers 

In  section  3.2,  we  showed  that  given  TLA  formulas  <1>5  and  E  for  a  program  and  scheduler 
respectively,  a  £  T  is  valid  iff  behaviors  of  S  under  E  satisfy  4'.  Returning,  for  example,  to 
the  program  of  Figure  3.1,  we  prove  as  follows  that  assuming  a  fixed-priority  scheduler,  a  single  pro¬ 
cessor  (i.e.  ^=1),  v/>,=2  and  v/>j=l  implies  that  y =3  will  hold  upon  termination.  The  property  that 
y =3  holds  upon  termination  of  S  is  formulated  in  TLA  as: 

□(-n£nh/(;?5)=>y=3). 

Thus,  for  d>s  as  defined  by  (3.2),  we  must  prove: 

d>5  A  FixedPrio  a  □(//=!  a  a  v/>j  =  1  a  n={£i,/’2})  (3-3) 

=>  □(-.£nh/(.5?s)=>y=3). 

In  general,  one  proves  a  TLA  formula  init  a  □[.J?]  a  □£  =>  DC  by  finding  a  predicate  /,  called 
an  invariant,  and  proving^  init  =>  /,  7  =>  C,  and  /  a^^aB  aB'=^/'.  The  first  obligation  establishes 
that  7  holds  initially,  the  second  implies  that  C  holds  whenever  7  does,  and  the  third  ensures  that  7 
holds  throughout. 

For  proving  (3.3),  we  choose^: 
init:  I  nits 

DlAs]y,pc„pci  A  FixedPrio 
B:  A^=l  A  v/>|  =2  A  v/>j  =  1 

For  7,  the  following  suffices — the  proof  is  left  to  the  reader: 

7:  (-7  Enbli^)  =>  y =3)  a  ((pc;>,  ^ti)  =>  (pcp^  =i)) 

3.4.  Real  time  in  TLA 

The  correlation  between  execution  of  a  program  and  the  advancement  of  time  is  largely  an 
artifact  of  the  environment  in  which  that  program  executes.  The  scheduler,  the  number  of  processors, 
and  the  availability  of  other  resources  all  play  a  role  in  determining  when  a  process  may  take  a  step. 
To  reason  with  TLA  about  properties  satisfied  by  a  program  in  such  an  environment,  we  simply 
characterize  the  way  time  advances  and  then  use  Program  Reduction.  Various  models  of  real-time 
one  finds  in  the  literature  differ  only  in  their  characterization  of  how  time  advances. 

When  only  a  single  processor  is  assumed,  then  process  execution  is  interleaved  on  that  proces¬ 
sor.  One  way  to  abstract  this  is  to  associate  two  constants  with  each  atomic  action  a: 

e  „ :  the  fixed  execution  time  of  atomic  action  a  on  a  bate  machine 


W  denotes  the  fonnula  obtained  by  priming  each  un-primed  free  variable  in  ,4. 

*The  choice  of  B  is  based  on  applying  the  Temporal  Logic  axiom  (□£  a  □£)=□(£  a  F). 
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5a:  the  maximum  time  that  can  elapse  from  the  time  that  the  processor  is  allocated  for 
xecution  of  a  until  a  starts  executing. 

Execution  of  a  is  thus  correlated  with  the  passage  of  between  Ca  and  Ca+Sa  time  units. 

The  following  TLA  formula  is  satisfied  by  such  behaviors.  Variable  T  is  the  current  time  and 
ATOM(S)  is  the  set  of  atomic  actions  in  S.  Recall  that  ^  defines  atomic  action  a. 

T=0  A  □[  A  (.^  =>  (T+ea^TsT+<a+5o))]x 
06  ATOM(S) 

As  before,  x  is  a  list  of  all  variables  in  the  system. 

Another  common  model  of  how  time  advances  abstracts  the  case  where  each  process  is  exe¬ 
cuted  on  its  own  processor.  We  assume  that  the  next  action  to  be  executed  at  process  tc  is  uniquely 
defined  at  each  control  point  (Other  assumptioits  are  possible,  and  these  can  be  foimalized  also.) 
We  formalize  this  environment  in  TLA,  by  using  a  separate  variable  T„  for  each  process  7t: 

Tr:  the  time  process  tc  arrived  at  its  current  state. 

System  time  T  is  the  maximum  of  the  T*: 

SysTme:  T=max(TR) 

■'  it€  n 

And  each  individual  process  tc  must  execute  its  next  action  a  (say)  before  bas  elapsed  from 
the  time  tc  reached  its  current  state.  Let  the  label  on  action  a  be  "a". 

LcITme:  (Vtcs  IT:  pcR=a:  T-TK^ea+5a) 

The  range  pc^^a  is  satisfied  by  states  in  which  the  program  counter  for  process  tc  indicates  that  a  is 
the  next  atomic  action  to  be  executed;  the  body  requires  a  to  be  executed  before  the  system’s  time 
has  advanced  too  far. 

Finally,  the  value  of  Tr  changes  iff  an  atomic  action  from  process  tc  is  executed: 

LcJTmeUpdt:  (VTceD:  (Vae  AT0M(5):  TR+CaSTR'<TR+Ca+5a 

A  (V(l>en:  T^'=T^))) 

Here,  the  range  is  satisfied  only  by  steps  attributed  to  atomic  action  a  of  process  tc;  the  body  causes 
all  of  the  Tr  to  be  updated. 

Putting  all  these  together,  we  get  a  TLA  formula  characterizing  this  model  of  real  time: 

T=0  A  (Vjr€n:TR=0)  a  □[  a  (SysTme  a,  LcUme /\ LclTmeUpdt)]^  (3.4) 

ae  ATOM(S) 

An  Old-fashioned  Recipe 

The  scheme  just  described  works  by  restricting  the  transitions  allowed  by  each  action.  These 
restrictions  ensure  that  an  action  only  executes  when  its  starting  and  ending  times  ate  as  prescribed  by 
the  real-time  model.  Thus,  the  approach  regards  the  environment  as  augmenting  each  action  of  the 
original  system.  The  environment  executes  simultaneously  with  the  system’s  actions. 

A  somewhat  different  approach  to  reasoning  about  real-time  with  TLA  is  described  by  Lamport 
and  Abadi  in  "An  old-fashioned  recipe  for  real-time"  [AL91].  That  recipe  is  extended  for  handling 
schedulers  in  [LJJ93].  Like  our  scheme,  the  recipe  does  not  require  changes  to  the  language  or 
deductive  system  of  TLA.  However,  unlike  our  scheme,  additional  actions  are  used  to  handle  the 
passage  of  time.  These  new  actions  interleave  with  the  original  program  actions,  updating  a  clock 
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and  some  count-down  timers. 

There  seems  to  be  no  technical  reason  to  prefer  one  approach  to  the  other.  In  the  examples  we 
have  checked,  the  old-fashioned  recipe  is  a  bit  cumbersome.  A  variable  now  analogous  to  our  vari¬ 
able  T  is  used  to  keep  track  of  the  current  time,  and  a  variable,  called  a  timer,  is  associated  with  each 
atomic  action  whose  execution  timing  is  constrained.  Timers  ensure  (i)  that  the  new  actions  to 
advance  now  are  disabled  when  actions  of  the  original  program  must  progress  and  (ii)  that  actions  of 
the  original  program  are  disabled  when  now  has  not  advanced  sufficiently.  The  timers,  now,  and 
added  actions  implement  what  amounts  to  a  discrete-event  simulation  that  causes  time  to  advance  and 
actions  to  be  executed  in  an  order  consistent  with  timing  constraints.  To  write  real-time 
specifications,  it  suffices  to  learn  the  few  TLA  idioms  in  [AL91]  and  repeat  them.  However,  to  prove 
properties  from  these  specifications,  the  details  of  this  discrete  event  simulation  must  be  mastered. 

4.  Environments  for  a  Hoare-style  Proof  Outline  Logic 

We  now  turn  our  attention  to  a  second  programming  logic — one  that  is  quite  different  in  charac¬ 
ter  from  TLA.  The  fonnulas  of  a  Hoare-style  logic  are  imperative  programs  in  which  an  assertion  is 
associated  with  each  control  point.  This  rules  out  Program  Reduction  (2.3),  because  imperative  pro- 
granuning  languages  are  generally  not  closed  under  intersection  of  any  sort.^  Similarly,  Property 
Reduction  (2.4)  is  ruled  out  because  the  property  language,  annotated  program  texts,  also  lacks  the 
necessary  closure.  However,  it  is  not  difficult  to  extend  the  prt^rty  language  of  a  Hoare-style  logic 
and  then  apply  Property  Reduction  (2.4).  An  example  of  such  an  extension  is  given  in  this  section. 

4.1.  A  HoarC'Style  Logic 

Consider  a  simple  programming  language  having  assignment,  sequenti-d  composition,  and 
parallel  composition  statements.^  An  example  program  is  given  in  Figure  4.1;  it  is  equivalent  to  the 
program  of  Figure  1.1. 

The  syntax  of  programs  rr.  our  language  is  given  by  the  following  grammar.  There.  A,  is  a  label, 
x  is  a  program  variable,  and  £  is  an  expression  over  the  program  variables. 

5::=  A,:[x:=£]  |  A.:  [5;  S]  |  h[S // S] 

Every  label  in  a  program  is  assumed  to  be  unique.  In  the  discussion  that  follows,  the  label  on 
the  entire  program  is  used  to  name  that  program.  In  addition,  for  a  statement  A,:  [...],  we  call  "A,:  ["  the 

A:  [  Aj:  [  An:  [y  :=  1]; 

^i2:[y:=2]] 

II 

X2:ly:=3]] 


Figure  4.1.  Simple  Program 


^Constraint-maintenance  languages  are  the  obvious  exception. 

’Handling  an  imperative  language  with  if  and  do  is  not  fundamentally  different 
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opening  of  X,  call "]”  the  closing,  and  define  Lab(K)  to  be  the  set  containing  label  X.  and  all  labels 
used  between  the  opening  and  closing  of  X. 

A  program  state  assigns  values  to  the  program  variables  and  to  control  variables.  The  control 
variables  for  a  program  X  are  atiX),  inCXO.  and  <tfter<X)  for  every  label  X'  in  Lab(X). 

The  set  £  of  program  states  contains  only  those  states  satisfying  certain  constraints  on  the 
values  of  control  variables.  These  constraints  are  given  in  Figure  4.2.  They  ensure  that  the  control 
variables  encode  plausible  values  of  program  coumers.  For  example,  the  constraints  rule  out  the  pos¬ 
sibility  that  control  variables  at(X)  and  ^er(X)  are  both  true  in  a  state.  As  another  example,  the  con¬ 
straints  imply  that  any  state  for  program  X  of  Figure  4.1  assigning  true  to  cfieii^n)  i^ust  also  assign 
true  to  at(^i2). 

The  executions  of  a  prog  ^  X  defines  a  set  of  behaviors.  It  will  be  convenient  to  represent  a 
behavior  using  a  triple  <o,  i,  j),  where  o  is  an  infinite  sequence^  of  states,  i  is  natural  number,  and  J  is 
a  natural  number  satisfying  i^J  or  is  oo.  Infonnally,  behavior  (a,  i,  j)  models  a  (possibly  partial)  exe¬ 
cution  starting  in  state  a[i  ]  that  i»X)duces  sequence  of  states  o[i..y].  Prefix  o[..(  - 1  ]  is  the  sequence  of 
states  that  precedes  the  execution;  suffix  o(j..]  models  subsequent  execution. 


Each  state  s  of  a  program  X  satisfies: 

CO:  s\^(_in(X)*ctfter(X)) 

Cl:  sN-,(ar(X)  Aq/irer(X)) 

C2:  s*=(,at(X)  =9  in(Xy) 

C3:  For  every  assignment  statement  X:  [x  :=£]: 
s^(at(X)  -  in(X)) 

C4:  For  every  sequential  composition  X,:  [A-j:  [51];  A2:  [52]]: 
s>=(at(X)  =  di/(X,i)) 
st=(q/'rcr(X.)  =  c^erQvi)) 
s^{(tfterQ>.\)  =  orCXa)) 
sN((j«(X,i)  V  in(Xi))  =>  r/i(A)) 

sN-i(in(Ai)  A  inQvi)) 

C5:  For  every  parallel  composition  X:  [Ai:  [5 1]  //  A2:  [52]]: 
si=(ar(A)  =  (ar(Ai)  A  arCAj))) 
sl=(afircr(A)  =  (<^rcr(Ai)  a  qfircKA^))) 

sl=(rn(A)  =  ((i>i(Ai)  vqfircr(Ai))  ^  (rn(A2)  v  q^cKA^))  a  -i(qfter(Ai)  AqfireKX^)))) 
Figure  4.2.  Constraints  on  control  variables 


’For  an  infinite  sequence  0=Sf,  s  i ...  we  write:  o[(]  to  denote  Sj;  G[..i']  to  denote  prefix  Sq  s  | ...  s,-;  o[(..]  to  denote  suffix 
5,  Sm  and  0[(..)],  where  i <  j,  to  denote  subsequence  s,- ...  Sj. 
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Fonnally,  we  define  the  set  SX]]  of  behaviors  for  a  program  X  in  terms  of  relations  Ry.  (<:.£] 
for  the  assignments  X'  in  X: 

‘ff  ^►=<»KX').  t^itfter(K'),  r(x)=5(£).  and  (4.1) 

s(y)=t(v)  for  all  program  variables  v  different  from  x. 

Let  AssigOi)  be  the  subset  of  Lab(k)  that  are  labels  on  assignment  statements  in  X.  Behavior  (a,  i,j) 
is  defined  to  be  an  element  of  |[  X  ]  iff 

Forallik,  ExistsX'e  Ajsjg(X):  (o[X],  o[Jk+l])e /?x'; (*:-£]  (4.2) 

Thus,  each  pair  of  adjacent  states  in  a[L.j]  models  execution  of  some  assignment  statement  and  die 
corresponding  changes  to  the  target  and  control  variables. 

Proof  Outlines 

Having  defined  the  program  language,  we  now  define  the  property  language  of  Proof  Outline 
Logic.  A  proof  outline  for  a  program  X  associates  an  assertion  with  the  opening  and  closing  of  each 
label  in  Lab(k).  The  assertion  associated  with  the  opening  of  a  label  X  is  called  the  precondition  of  X 
and  is  denoted  pre(X);  the  assertion  associated  with  its  closing  is  called  the  postcondition  of  X  and  is 
denoted  post(K). 

Here  is  a  grammar  giving  a  syntax  of  proof  outlines  for  our  simple  programming  language. 

P(?::=  {p}X:[x:=£]{<7}  | 

[p]X:[POi;  P02]{q]  I 
{p]X:[P0i//P02]  {^r} 

PO 1  and  PO2  are  proof  outlines,  and  p  and  4*  are  assertions.  A  concrete  example  of  a  proof  outline  is 
given  in  Figure  4.3.  It  contains  a  proof  outline  for  the  program  of  Figure  4.1.  Easier  to  read  nota¬ 
tions’^  for  proof  outlines  do  exist;  this  format  is  particularly  easy  to  define  formally,  so  it  is  well 

[true] 

X:  [  [true] 

Xi:[  {true] 

Xii:[y>=l]  {y=lvy=3}; 

{y=l  vy=3} 

Xi2:[)':=2]  iy=2vy=3) 

]  {y=2vy=3) 

II 

[true] 

^:(y:=3]  {y=2vy=3} 

]  {y=2vy=3) 

Figure  4.3.  Example  Proof  Outline 


'"For  example,  we  sometimes  write  ip  ]  PO(K)  (9  i  to  denote  a  proof  outline  that  is  identical  to  PO(k)  but  with  p  re¬ 
placing  pre(K)  and  q  replacing  posl(}.) . 
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suited  to  our  purpose. 

Assertioris  in  proof  outlines  are  formulas  of  a  first-order  predicate  logic.  In  this  logic,  terms  arKl 
predicates  are  evaluated  over  traces,  finite  sequences  of  program  states.  A  trace  sqSi  ...s«  that  is  a 
prefix  of  a  program  behavior  defines  a  current  program  state  s^  as  well  as  a  sequence  so^i  of 
past  states.  Thus,  assertions  interpreted  with  respect  to  traces  can  not  oily  characterize  the  current 
state  of  the  system,  Init  can  also  characterize  histories  leading  up  to  that  state.  Such  expressiveness  is 
necessary  for  proving  arbitrary  safety  properties  and  for  describing  many  oivironments. 

The  terms  of  our  assertion  language  include  constartts,  variables,  the  usual  expressions  over 
terms,  and  the  past  term  &T  for  T  any  term  [S94]."  The  6  tqrerator  allows  terms  to  be  constructed 
whose  values  depend  on  the  past  of  a  trace.  For  example,  x+Qy  evaluated  in  a  trace  sqS\S2  equals 
i(y).  Mote  formally,  we  define  as  follows  the  value  T]t  of  a  term  T  in  trace  t,  where  c  is 
a  constant,  v  is  a  variable,  and  %  and  ^2^  terms. 


term  T 

M'TUoSl  ...Sn 

c 

C 

v 

Sh(v) 

iWt  Tj  ]5o  s  j ...  Sif  +  iWJ  ^  ]>ro  iT  1 ...  Sf, 

... 

flWlTVoSi ifn>0 

e-r 

false  ifn=0 

Predicates  of  the  assertion  language  ate  formed  in  the  usual  way  firom  predicate  symbols,  terms, 
propositioruil  connectives,  and  the  universal  and  existential  quantifiers.  It  is  also  convenient  to  regard 
Boolean-valued  variables  as  predicates.  This  allows  control  variables  to  be  treated  as  predicates.  It 
also  allows  Qtrue  to  be  treated  as  a  pedicate  whose  value  is  true  in  any  trace  having  more  than  one 
state.  Assertions  are  just  predicates. 

Proof  outlines  define  properties.  Informally,  the  property  defined  by  a  proof  outlirw  PO(X) 
includes  all  behaviors  <0, 1 .  j)  in  which  execution  of  X  starting  in  state  o[{  ]  does  rx>t  cause  proof  out¬ 
line  invariant  Ipoo^,)  to  be  invalidated.  The  proof  outline  invariant  implies  that  the  assertion  associ¬ 
ated  with  each  control  variable  is  true  whenever  that  control  variable  is  true: 

^PO(Sy  ^(iat(X)=>pre(X))r^(ctfter(X')=>post(K'y))  (4.3) 

X’e  LabQ^) 

It  is  easier  to  reason  about  proof  outlines  when  the  precondition  for  each  statement  X’  summar¬ 
izes  what  is  required  for  //>o(X)  to  hold  when  at(K’)  is  true.  For  a  proof  outline  PO(X,),  this  self  con¬ 
sistency  requirement  is: 

For  every  label  X'e  Lab(K): 

If  V  labels  a  sequential  composition  X':  [Xj :  [5 1  ];  X2:  [S2]]  then: 


‘‘Hie  Proof  Outline  Logic  of  [S94]  also  allows  recursively-defined  terms  using  6.  This  increases  the  expressiveness 
of  the  assertion  language,  but  is  indqiendent  to  the  issues  being  addressed  in  this  paper.  Therefore,  in  the  interest  of  simpli¬ 
city.  we  omit  such  terms  from  the  assertion  language. 
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preO^*)  preO^i) 
postO^i )  ^  preOL2) 


If  X'  labels  a  parallel  composttion  X':  [Xit  [5i]  //  X2:  [52]]  then: 
pre(X)  =»  (pr<(Xi)  A  preQ^)) 


We  can  now  formally  define  the  set  [  f*<3(X)  J  of  behaviors  in  the  property  PO(K): 
0  if  /*0(X)  is  not  self  consistent 

I/>0(X)]|:  -  I  aimipoo.)  or  forallik.  al..k]Hpoo.)] 


(4.4) 


Thus.  |[/’0(X)]|  is  empty  if  /*0(X)  is  not  self-consistent  And,  if  PO(X)  is  self  consistent  then 
|/*0(X)]  includes  a  behavior  <0.  i,J)  provided  either  (i)  Ipo(^)  is  not  satisfied  udien  execution  is 
started  in  state  o[i]  or  (ii)  Ipo(^)  is  kept  true  throughout  execution  started  in  state  a[i].  In  the 
definition,  proof  outline  invariant  Ipo^)  is  evaluated  in  prefixes  of  o  because  assertions  may  contain 
terms  involving  6. 

A  proof  outline  is  defined  to  be  valid  iff  (X.  PO(X))  e  Sat  holds,  where 

<X./»0(X)>e5ar  if  and  only  if  lXlclI/»0(X)l  (4.5) 


as  prescribed  by  (2.1).  Appendix  A  contains  a  sound  and  complete  proof  system  for  establishing  that 
a  proof  outline  is  valid.  Such  logics  have  become  cottunonplace  since  Hoare’s  original  proposal 
[H69].  The  particular  axiomatization  diat  we  give  is  based  rm  [S94],  which,  in  turn,  builds  on  the 
logic  of  [L80]. 


4.2.  Exploiting  an  Environment  with  Proof  Outlines 

Our  program  language  does  not  satisfy  the  closure  ctxiditions  required  for  Program  Reduction 
(2.3),  nor  does  the  property  language  (proof  outlines)  satisfy  the  closure  conditions  required  for  Pro¬ 
perty  Reduction  (2.4).  To  pursue  property  reduction,  we  define  a  language  EnvL  that  characterizes 
properties  imposed  by  environments.  We  then  extend  the  property  language  so  that  it  satisfies  the 
necessary  closure  condition  for  property  reductioa 

We  base  EnvL  on  the  assertion  language  of  proof  outlines.  Every  formula  of  EnvL  is  of  the 
form  DA  where  A  is  a  formula  of  the  assertion  language.  DA  defines  a  set  of  behaviors  as  follows. 

I  DAI;  {(c,  i,y)  I  For  ail  k,i^k^j:  a[..X]M} 

Thus,  DA  contains  behaviors  (o,  i,J)  for  which  prefixes  o[.,j],  o[../+l] . o[..j]  do  not  violate  A. 

Formulas  in  EnvL  define  safety  properties,  and  EnvL  includes  all  of  the  scheduler  and  real-time  exam¬ 
ples  of  §3.3  and  §3.4.  A  mote  expressive  assertion  language  (e.g.  the  one  with  recursive  terms  in 
[S94])  would  enable  all  safety  properties  to  be  defined  in  this  manner. 

In  order  to  close  the  property  language  of  Proof  Outline  Logic  under  union  with  the  comple¬ 
ment  of  I  DA  I,  we  introduce  a  new  forai  of  proof  outline.  A  constrained  proof  outline  is  a  formula 
□A  -» /*0(X),  where  A  is  a  formula  of  the  assertion  language  and  PO(K)  is  an  ordinary  proof  outline. 
The  property  defined  by  a  constrained  proof  outline  is  given  by: 

I  DA  ^  PO(k)  J:  |[PO(X)  I  u  IDA]!  (4.6) 

|[  DA  ]|  denotes  the  complement  of  [[  DA  ]].  Generalizing  from  ordinary  proof  outlines,  a  constrained 
proof  outline  DA  -» /*0(X)  is  considered  valid  iff  (X,  DA  ->  PO(K))  e  Sat.  Thus,  if  DA  -» PO(X)  is 
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vaUdthen|[Xl£;|IDi4  •-4/*(?(X)Iholds. 

The  set  of  properties  defined  by  constrained  proof  outlines  and  proof  outlines  does  satisfy  the 
necessary  closure  condition  for  property  reduction.  Given  a  program  X,  let  be  the  set  of  con¬ 
strained  proof  outlines  and  proof  outlines  for  X.  The  required  closure  condition  is  equivalent  to: 

Lemma:  For  any  assertion  A  and  any  Os  £x,  there  exists  a  constrained  proof  outline  O'  in 
Xx  such  that 

lO'I  =  ffOluIDMl 
Proof.  The  proof  is  by  cases. 

Case:  ^  is  an  ordinary  proof  outline,  hr  this  case,  choose  O'  to  be  OA  — » O. 

Case:  ^  is  a  constrained  proof  outline  OB  ->  /*G(X).  In  this  case,  choose  O'  to  be 
□(A  A  B)  ->  /*0(X).  This  choice  is  justified  by  the  following. 

<o,  i,j) €  I  OCA  A  B)  -4  BO(X)  I 
iff  «definition  (4.6)  of  ff  OfA  a  B)  -» PO(K)  1 » 

<<T.  I .;■)€( I  BO(X)|uIO(A  A B) I ) 
iff  «definition  of  |[  OCA  a  B)  ]» 

<o.  i,  ;•>€  ( I  PO(X)  1  u  [  OA  1  u  I  OB  I) 
iff  «definition  (4.6)  of  ff  OB  ->  B<9(X)  1» 

<<y. ».  ;■>€  ( I  OB  -» PO(X)  I  u  I  OA  1) 

Q£.D. 


Logic  for  Constrained  Proof  Outlines 

Our  goal  is  to  prove  that  a  program  X  satisfies  a  property  PO(k)  under  an  environment  DA: 

(X,  DA ,  PO(k))  €  ESat  (4.7) 

Using  Property  Reduction  (2.4),  we  see  that  to  prove  (4.7),  it  suffices  to  be  able  to  prove  that  X 
satisfies  property  DA  ->  BO(X). 

(X,nA,BO(X)>€£Sar 
iff  ^Property  Reduction  (2.4))» 

{X,  POCK)  unA)e  Sat 
iff  ^definition  (2.1))> 

|[X]|cl[PO(X)uDA]| 

iff  «II  FuG  1=|[  F  Butt  G  J  and  definition  (4.6)  of  DA  ->  PO(K)» 
ttXlcttnA->PO(X)B 
iff  «definition  (2. 1 )» 

(X.nA->PG(X)>eSar 

The  deductive  system  of  Appendix  A  enables  us  to  prove  that  (X,  <I>)e  Sat  holds  for  O  an  ordi¬ 
nary  proof  outline.  Extensions  are  needed  for  the  case  where  ^  is  a  constrained  proof  outline.  We 
now  give  these;  a  soundness  and  completeness  proof  for  them  ai^rears  in  Appendix  B. 

For  reasoning  about  assignment  statements  executed  under  an  environment  DA,  we  can  assume 
that  A  holds  before  execution  and,  because  fire  environment  precludes  transition  to  a  state  satisfying 
-I  A,  any  postcondition  asserting  -■  A  can  be  strengthened. 
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Cnstr-Assig: 


[pA.A]  X;[Jt:=!£l  {^v-iA} 
DA-*{p)  X;(jt.-=£]  iq] 


Sequential  composition  under  an  environment  DA  allows  a  weaker  postcondition  for  the  first 
statement,  since  the  environment  ensures  that  A  will  hold. 

Cnstr-SeqComp:  DA  -*PO(Xi),  □i4  -*PO0^) 

(A  A  postQ.i ))  =>  preO^) 

□i4 -» {pre(X.i)}  X:[£0(Xi);/*(9(X2)]  [postCKi)) 

Parallel  compositimi  under  an  oivironment  DA  also  allows  weaker  assertions.  A  can  be 
assumed  in  the  preconditions  of  the  interference-freedom  proofs. 

Cnstr-ParComp:  DA— »PO(Xi),  DA-*PO0^), 

DA  PO(k.i)  and  DA  PO(X2)  are  interference  free 

□A  [pre(Ki)  a  preO^)]  X:  t  PO(Ki)  1 1  POQ^i)]  {posr(Xi)  a  posrCX^)) 

We  establish  that  DA  -» PO(K\)  and  DA  -» POQ^)  are  interference  free  in  much  the  same  way  as 
for  ordinary  proof  outlines. 

For  all  Xa  €  AssigiXi),  where  X^  is  the  assignment  Xq:  [x  :=  E\. 

DA  -» (ar(Xa)  A a//»(j^)}  [x  ;=£]  {Ipo(M^ 

For  all  Xa  €  AssigO^),  where  Xa  is  the  assignment  Xa’  [x  :=  E]: 

□A  {<tt(Xo)  a/|.0(;^)  a/^(;^)}  Xat  [X  :=£]  [f/>0(^,)) 

As  with  ordinary  proof  outlineSv  two  rales  allow  us  to  modify  assertions  based  on  deductions 
possible  in  the  assertion  language.  For  a  constrained  proof  outline  DA  PO(K),  we  can  assume  A 
in  making  those  deductions. 

Cnstr-Conseq:  DA  PO0>.),(p  A,A)=>pre(k),(po5t(K)  /\A)=^q 

DA  ->  [p]  PO(K)  {q} 

Cnstr-Equiv;  DA  -¥  POQC),  A  =>  iIpo(K)=ho'0,))^  PO'(K)  is  self  consistent 

DA  PO'(k) 

Example  Revisited 

We  illustrate  the  deductive  system  for  constrained  proof  outlines  by  proving  that  y=3  holds 
upon  termination,  when  the  program  of  Figure  4.1  is  executed  by  a  single  processor  using  a  fixed- 
priority  sctwduler  with  process  Xj  having  higher  priority  than 

Recall  that  a  fixed-priority  scheduler  rules  out  allocating  a  processor  to  any  but  die  highest- 
priority  {xocesses.  where  a  fixed  priority  value  is  associated  with  each  process  ic.  Tte  formulation 
of  this  restriction  using  the  assertion  language  of  our  Proof  Outline  Logic  closely  parallels  our  TLA 
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fonnulation  in  §3.3. 

As  before,  for  N  the  number  of  processors,  we  define; 

AUociN):  (#7t6  ri:  activex)^N 
Runin):  active^  =^ne  TOP(,N,  11) 

ITiese  state  that  variable  active^  is  true  for  the  N  highest  ranked  different  processes  k.  To  stipulate 
that  active X  be  true  in  order  for  a  process  to  execute  an  atomic  action,  let  LabQ^)  be  the  set  of  labels 
for  process  ic.  Execution  of  an  atmnic  actitm  from  ic  causes  control  variables  to  change  for  some 
VeLofrCX,). 

Pgrs(,it):  (Qtrue  a  v  =>  Qactive^ 

V  €  Lab^) 

The  rank  rank^  of  a  process  depends  on  whether  or  not  that  process  has  terminated.  Since  we  assume 
that  process  n  has  label  X«,  that  process  has  not  tenninated  if  in(Xx)  is  true.  We  thus  can  assign 
values  to  rank^  using  v,  as  follows. 

Piioin):  (inCXx)  =*  (rank^=v^))  a  (-iui(X*)  =>  irank^^O)) 

Combining  diese,  we  obtain  an  asseititm  FixedPrio  which  characterizes  a  fixed-priority  scheduler. 
FixedPrio:  Alloc(N)  a  (Vit€  11: a  i»grj(x)  a /*rio(K)) 


To  conclude  that  y=3  holds  upon  terminatitm  of  program  X  in  Hgure  4.1,  we  prove 
OFixedPrio  -♦/*0(X)  a  theorem,  where />off(X)s=>y =3.  WeassumeA^=l,vx,=2,  and  vx,=l. 


Using  Assig2  (of  Appoidix  A),  we  get; 

MXa)}  Xn:[y  :=11  (mCXa)}  (4.8) 

{oK^z))  >.i2:[y:=2]  {oKXj)}  (4.9) 

With  Conseq  (of  Aiq)endix  A),  we  can  strengthen  the  precondition  of  (4.8)  and  (4.9)  as  well  as  weak¬ 
ening  the  postconditions  of  botfi— in  preparation  for  using  Cnstr-Assig  with  UFixedPrio 

[at(Ki)f\ FixedPrio]  Xii;[y  ;=l]  {ca(^)'v-\FixedPrio]  (4.10) 

[atO^) FixedPrio)  Xi2;ly:=2]  [mie v -,FixedPrio)  (4.11) 

Using  Cnstr-Assig  we  now  obtain: 

OFixedPrio  -b  {a/(X2)}  Xn:  [y  :=  IJ  {at(X2))  (4.12) 

OFixedPrio  -» {ar(X2)}  X12:  [y  :=21  [true]  (4.13) 


We  combine  these,  using  Cnstr-SeqComp  to  obtain  a  constrained  proof  outline  for  process  X] . 

OFixedPrio  ->  [atOi^)] 

X,:[{m(X2)l  >.ii:[y:=l]  (oK^z)) ; 

[atQ^))  X,2:[y:=2]  [true]] 

[true] 


A  proof  outline  for  process  X2  is  constnicted  by  starting  with  Assigl  (of  Appendix  A). 

(3=3)  h:  [y:=3]  {y=3}  (4.15) 

In  preparation  for  using  Cnstr-Assig,  the  precondition  is  strengthened  and  postcondition  is  weakened. 


-18- 


(4.16) 


Itrue  A  FixedPrio }  Xi-  [y :=3]  {y=3  v  -tFixedPrio } 

We  now  can  use  Cnstr-Assig  to  obtain  a  constrained  proof  outline  for  process 

HFixedPrio  -4  [true]  X2'  [>^=3]  {y=31  (4.17) 

Finally,  we  use  Cnstr-ParCorap  to  combine  (4.14)  and  (4.17); 

OFixedPrio  {^/(Xs)) 

X:  ({^/(X^)} 

X,:n<a(X2))  X„;(y:=l]  (fl^Xa)} ; 

{<«(Xa))  Xi2:ly:=2]  [true]] 

[true) 

// 

[true]  Xa:  (y:=31  {y=3}l 
{y=3} 

This  requires  that  we  discharge  the  following  interference-freedom  requirements: 

HFixedPrio  -4  {at(Xu)  r^Ipoo^)  r^Ipo(k,)]  ly  •=  {ho(^))  (4.19) 

□FixedPrw ->  {ar(Xi2)  a//>o(x,)  ^i2-[y:=2]  {//»o(X,)}  (4.20) 

OFixedPrio  ->  [atO^)  a  lpo<^)  a  /po(X,)}  [y  :=  3]  {//>o(x,)}  (4.21) 

where: 

(<ir(Xi)=><«(X2))  A(qf/er(X,i)=>rr«e) 

A  (a/(Xn)=>a/(Xa))A(q^er(Xji)^fl/(Xa)) 

A  (flt(^i2)  =>  at(^))  A  iafter(X\2)  =>  true) 

ho<M'-  (.aKXi)  =»  true)  a  {(tfteriXz)  =»y=3) 

IpotM  and  IpotM  can  be  simplified,  using  ordinary  Predicate  Logic,  resulting  in: 
ho(M'-  (<«(^i)''<«(^n)va/^«K^n)va*(^i2))  =>  atO^) 
ho(M'-  cfier(}^)=>y=3 

To  prove  formula  (4.19),  observe  that  according  to  the  definitions  of  Ipoo^)*  hoo^y  and  Fix¬ 
edPrio'. 

(at(Xi  1 )  A  IpoQit)  A  Ipoi^t)  ^  FixedPrio)  =»  atQvi) 
at(Xi)  =>  {Ipo(M  V  -^FixedPrio) 

Applying  Conseq  and  then  Cnstr-Assig  to  (4.8)  we  obtain  (4.19).  The  proof  of  (4.20)  is  virtually 
identical. 

Proving  formula  (4.21)  illustrates  the  role  of  envircnunent  OFixedPrio.  Using  Assig3,  Equiv, 
and  Conseq  it  is  not  difficult  to  prove: 

(o^Xa)}  Xa:  [y  :=  3]  [Q:  0ar(Xa)  a  -,ad}^)  a  ar(Xi)=©ar(Xi)  a  0>i(Xi)  v  q^crfX))) 

{//i(Xi)  =>  (acftvcx,  A-iflcftvex,)}  Xa:[y:=3]  [R'.  Q(,inQ.i)  =>  (active active x^))] 
Each  of  these  preconditions  is  implied  by  atiXi)  a  Ipo(M  a  IpoM  a  FixedPrio,  so  we  can  use 
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CcHiseq  to  strengthen  each  and  deduce; 

{<K(\2)a//>o(X,)  a/to(X,)  AFoedPrio)  X2:b':=3]  [Q] 

[atiXz)  A  /i»o(X,)  A  Ipoo^)  A  FixedPrio }  X2:  [y  :=  3]  {/? } 

Therefore,  by  Conj,  we  obtain: 

[atiXi)  A  Ipo^)  A  Ipoo^)  A  FixedPrio )  Xj:  [y  :=  3]  {Q  a  F } 

We  now  use  Conseq  to  infer  that  //>o(j.,)  or ->  FixedPrio  holds  whenever  Q  a.  R  does  by  proving: 
(jin(k\)  A  (2  A  /?)  =>  FixedPrio 
(q^eK^i)  A  Q  A  /?)  =>  /po(x,) 

Using  these  with  Conseq,  we  conclude: 

[atih.)  A  Ipoo^)  A  Ipoo^)  A  FixedPrio }  0  :=  3]  {//>opi,)  v  ->FixedPrio } 

Cnstr-Assig  now  allows  us  to  conclude  (4.21),  as  is  desired. 

4.3.  An  Even  Older  Recipe 

The  notion  of  a  constrained  proof  outline  is  not  new.  In  [LS85]  a  similar  idea  was  discussed  in 
connection  with  reasoning  about  aliasing  and  other  artifacts  of  variable  declarations.  The  aliasing  of 
two  variables  imposes  the  constraint  that  their  values  are  equal;  die  declaration  of  a  variable  imposes 
a  constraint  on  the  values  that  variable  may  store.  Constrained  proof  outlines,  because  they  provide  a 
basis  for  provirtg  properties  of  programs  whose  execution  depends  on  constraints  being  preserved,  are 
thus  a  way  to  reason  about  aliasing  and  declarations.  An  even  earlier  call  for  a  construa  like  our  con¬ 
strained  proof  outlines  appears  in  [L80].  There,  Lamport  claims  that  such  proof  outlines  would  be 
helpful  in  proving  certain  types  of  safety  properties  of  concurrent  programs. 

5.  Discussion 

Related  Work 

Our  work  is  perhaps  closest  in  spirit  to  dre  various  approaches  for  reasoning  about  open  sys¬ 
tems.  An  open  system  is  one  that  interacts  with  its  environment  through  shared  memory  or  communi¬ 
cation.  The  execution  of  such  a  system  is  commonly  modeled  as  an  interleaving  of  steps  by  the  sys¬ 
tem  and  steps  by  the  environment  Since  an  open  system  is  not  expected  to  function  properly  in  an 
arbitrary  environment,  its  specification  typically  will  contain  explicit  assumptions  about  the  environ¬ 
ment.  Such  specifications  are  called  assume-guarantee  specifications  because  they  guarantee 
behavior  when  the  envirorunent  satisfies  some  assumptions.  Logics  for  verifying  safety  properties  of 
assume-guarantee  specifications  are  discussed  in  (FFG92],  [J83],  and  [MC81];  liveness  properties  are 
treated  in  [AL91],  [BKP84],  and  [P85];  and  model-checking  techniques  based  on  assume-guarantee 
specifications  are  introduced  in  [CLM89]  and  [GL91]. 

Our  approach  differs  from  this  open  systems  work  both  in  the  role  played  by  the  environment 
and  in  how  state  changes  are  made  by  the  environment.  We  use  the  environment  to  represent  aspects 
of  the  computation  model,  not  as  an  abstraction  of  the  behaviors  for  other  agents  that  will  run  con¬ 
currently  with  the  system.  Second,  in  our  approach,  every  state  change  obeys  constraints  defined  by 
the  environment  State  changes  attributed  to  the  environment  are  not  interleaved  with  system  actions, 
as  is  the  case  with  the  open  systems  view. 


-20- 


Our  view  of  the  environment  and  the  view  employed  for  open  systems  are  complementary. 
They  address  different  problems.  Both  notions  of  environment  can  coexist  in  a  single  logic.  Open 
systems  and  their  notion  of  an  environment  are  an  accepted  part  of  the  verification  scene.  This  paper 
explores  the  use  of  a  new  type  of  environmoit.  Our  environments  allow  logics  to  be  extended  for 
various  comiMitational  models.  As  a  result,  a  single  principle  suffices  for  reasoning  about  the  effiects 
of  schedulers,  real-time  models,  resource  constraints,  and  fairness  assumptitms.  Thus,  one  does  not 
have  to  redesign  a  programming  logic  every  time  the  computational  model  is  changed. 

In  terms  of  program  construction,  our  notion  of  an  environment  is  closely  related  to  superposi¬ 
tion  [K87]  [BF88]  [CM88].  The  superposition  of  two  programs  .S  and  7  is  a  single  program,  each  of 
whose  steps  comprises  a  step  of  5  and  a  step  of  T  performed  simultaneously.  Thus,  in  terms  of  TLA. 
the  superposition  of  two  actions  is  simply  their  (injunction.  Our  work  extends  the  domain  of  appli¬ 
cability  for  superposition  by  allowing  one  component  of  a  superposition  to  characterize  aspects  of  a 
computational  model. 

Redefining  Feasible  Behaviors 

The  definition  of  §2  for  the  feasible  behaviors  of  a  program  S  under  an  environment  £  is  not  the 
only  plausible  one.  Every  infeasible  behavior  of  S  ruled  out  by  £  has  a  maximal  finite  prefix  (possi¬ 
bly  empty)  that  agrees  with  a  prefix  of  some  behavior  in  £.  Such  a  prefix  can  be  regarded  as  model¬ 
ing  an  execution  of  S  that  aborts  due  to  the  constraints  of  £.  and  this  prefix  might  well  be  included  in 
the  set  of  feasible  behaviors. 

For  example,  consider  executing  the  program 
7:  X  :=  0;  do  i  :=  1  to  5:  x  :=  jt+1  od 

in  an  environment  that  constrains  x  to  be  betweot  0  and  3  G-e.,  x  is  represented  using  2  bits).  The 
alternative  definition  of  feasible  behaviors  would  include  prefixes  of  behaviors  of  7  up  until  the  point 
where  an  attempt  is  made  to  store  4  into  x.  Using  the  definition  of  §2,  die  set  of  feasible  behaviors 
would  be  empty. 

The  alternative  definition  of  feasible  behaviors  for  a  program  S  under  an  environment  £, 

(15  ]|n|[£  I)  u  (prefixilSD  npr^HEJ)),  (5.1) 

admits  reasoning  about  feasible,  but  incomplete,  executions  of  a  program  under  a  given  environment. 
Unfortunately,  we  have  been  unable  to  identify  reduction  prirKiples  for  definition  (5.1).  It  remains  an 
open  ({uestion  how  to  extend  a  logic  for  Sat  into  a  logic  for  ESat  given  this  definition. 

6.  Conclusion 

In  this  paper,  we  have  shown  that  environments  are  a  powerful  device  for  making  aspe(>;  of  a 
computational  model  explicit  in  a  prograrruning  logic.  We  have  shown  how  environments  can  be 
used  to  formalize  schedulers  and  real-time;  a  forthcoming  paper  will  show  how  they  can  be  applied  to 
hybrid  systems,  where  a  continuous  transition  system  governs  changes  to  certain  variables. 

We  have  given  two  semantic  principles,  program  reduction  and  property  reduction,  for  extend¬ 
ing  programming  logics  to  enable  reasoning  about  program  executions  feasible  under  a  specified 
environment.  Having  such  principles  means  that  a  new  logic  need  not  be  designed  every  time  the 
computational  model  served  by  an  extant  logic  is  changed.  For  example,  in  this  paper,  we  give  a  new 
way  to  reason  about  real-time  in  TLA  and  in  Hoare-style  programming  logics.  We  also  derive  fire 
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first  Hoare-style  logic  for  reasoning  about  schedulers. 

The  basic  idea  of  reasoning  about  program  executions  that  are  feasible  in  some  environment  is 
not  new,  having  enjoyed  widespread  use  in  connection  with  open  systems.  The  basic  ictea  of  aug¬ 
menting  die  individual  state  transitions  caused  by  the  atomic  actions  in  a  program  is  not  new.  either. 
It  underlies  methods  for  program  composition  by  superposition,  methods  for  reasoning  about  aliasing, 
and  proposals  for  verifying  certain  types  of  safety  properties.  What  is  new  is  our  use  of  environments 
for  describing  aspects  of  a  computational  model  arKl  our  unifying  semantic  principles  for  reasoning 
about  environments.  Extensions  to  a  computational  model  can  now  be  translated  into  extensions  to 
an  existing  programming  logic,  by  af^lying  one  of  two  simple  semantic  principles. 
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Appendix  A:  A  Logic  of  Proof  Outlines 

The  deductive  system  for  reasoning  about  assertions  includes  the  axioms  and  inference  rules  of 
first-order  predicate  logic.  It  also  axiomatizes  theories  for  the  datatypes  of  program  variables  and 
expressions.  Perhaps  the  only  aspect  of  this  axiomatization  that  might  be  unfamiliar  concerns  0.  It 
will  include  axioms  like: 

etrue=>iem[,...%)  =  ne'ri,-^Q%)) 

In  order  to  reason  about  control  variables  in  program  states,  each  program  k  gives  rise  to  a  set  of 
axioms.  These  axioms  characterize  the  constraints  of  Figure  4.2.  For  every  label  k'  e  Lab(k): 

CPO:  inO^)*qfter(k) 

CPI:  -.(at(k')A(tfter(X)) 

CP2:  at(k')=^in(X) 

CP3:  IfX'labels[x:=£]:  at(}f)=in(X) 

CP4:  If  X' labels  [Xj:  [5];  X2:[7’]]: 

(a)  atik')=at(,ki) 

(b)  at(k2)=<^er(ki) 

(c)  etfter(k')=etfter(K2) 

(d)  in(k')=(.(in(ki)  A.->in(k2))  v  (-,m(Xi)  a  jn(X2))) 

(e)  (/n(Xi)  vjn(X2))=^  w(X0 

CPS:  If  X'  labels  [Xi:  [5]  //  X^:^]: 

(a)  <w(X')=(at(Xi)  Afl/CXa)) 

(b)  (0erik')={(tfier(ki)  ^  (^eriki)) 

(d)  w(X')=((m(Xi)  V  q^gr(Xi))  a  (w(X2)  v  qfter{kz))  a  -i(<?^cr(Xi)  a  (rfterQ^2))) 

(d)  ({n(Xi)  V  =>  mCXO 

For  reasoning  about  proof  outlines,  we  have  the  following.  Rrst,  here  are  the  axioms  for 
assignment  statements. 

Assigl :  If  no  free  variable  in  p  is  a  control  variable  and  p|  denotes  the  predicate  logic 
formula  that  results  from  replacing  every  free  occurrence  of  x  in  p  that  is  not  in 
the  scope  of  0  with  £: 

[pD  X;[x:=£]  [p] 

Assig2:  If  X'  is  a  label  from  a  program  that  is  parallel  to  that  containing  X,  and  cp(X') 
denotes  any  of  the  control  variables  a/(X'),  ctfterQS),  in(k')  or  their  negations: 
{£p(X')}  X:[x:=£]  {cp(X')) 

Assig3:  {p}  X:[x:=£]  {0p} 

Sequential  composition  is  handled  by  a  single  inference  rule. 
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SeqComp; 


PO(Kx),  POiXi), 

_ post(K\)^pr€(Ki) _ 

[preO-i)]  X:[/»0(X,);  POQ^)]  [postO^)] 

The  parallel  composition  nile  is  based  tm  the  fonnulation  of  interference  freedom  [(X}76]  of  proof 
outlines  given  in  [LS84].  Two  proof  outlines  PO(Xi)  and  PO(Ki)  are  interference  free  iff 

For  all  Xa  €  AssigQ>.\),  where  is  the  assignment  Xa'-  [x  :=  £]: 

{nr(Xa)  A  hoo^)  a  ho(^)]  Xa:  [x  :=  E]  {//>o(Xj)} 

Fbr  all  Xa  e  AssigO^),  where  Xq  is  the  assignment  7^:  [x  :=  E\. 

{<w(Xa)  A  hoo^)  A  ho(M  1  X^:  [x  :=  E]  {//>o(X,) ) 

ParComp;  PO(Xi),  POiXi), 

PO(K\)  and  POQ^)  are  interference  free 

{pre(Xi)  A preCKi)]  X:  [ P(3(Xi)  //  PO(X2)]  {/>oi/(Xi)  a postCKz)) 

Firuilly,  three  rules  allow  us  to  modify  assertions  based  on  the  deductive  system  for  the  asser¬ 
tion  language.  Recall,  [p]  POQ.)  {^}  denotes  a  proof  outline  diat  is  identical  to  PO(X)  but  with  p 
replacing  pre(K)  and  q  replacing  postQ.) . 


[pi]  X:[x:=£] 

{P2}  X:[x:=£]  {^2) 

{P1AP2)  X:[x:=£:]  [qir.q2] 

PO(,X),  p^pre(X),  postO,)=^q 
{p}PO(X){<7) 

PQ(X).  Ipopi)=Ipo'q,),  /fo>(X)  self  consistent 
PO'(k) 

Appendix  B:  Soundness  and  Completeness  for  Constrained  Proof  Outlines 

We  now  prove  soundness  and  relative  completeness  for  the  Logic  of  Constrained  Proof  Outlines 
given  in  section  4.2.  Specifically,  we  prove  that  Cnstr-Assig,  Cnstr-SeqComp,  Const-ParComp  and 
Cnstr-Equiv  are  sound.  We  also  prove  that  Cnstr-Assig,  Cnstr-SeqComp  and  Const-ParComp 
comprise  a  complete  deductive  system  relative  to  the  deductive  system  of  Appendix  A  for  ordinary 
proof  outlines.  (Cnstr-Conseq  and  Cnstr-Equiv  of  section  4.2  are  not  necessary  for  completeness.) 


Conj: 


Conseq: 


Equiv: 
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Lemma  (Soundness  of  Cnstr-Assig):  The  nile 


Cnstr-Assig:  [p^A]  X,:[x:=£]  (gv-iA) 

X:[x:=£]  U) 

is  sound. 

Proof.  Assume  that  hypothesis  (paA)  X:(x:=£]  {^v-iA}  is  valid.  We  show  that  if 
<o,  j,y>el[X]l  holds,  then  <o.  j,y)6lOA -» {p}  X:[x\=E]  {^U  holds,  and  thus  that 
DA-*  [p]  X:  [x  :=£]  is  valid. 

If  (paA)  X:[x;=£]  {^v-iA}  is  valid  tiien,  by  definition,  lXlcIPO(X)l  holds,  where 
P(9(X)  is  {p  A  A  j  X:  [x  :=  E]  v  -i  A } .  This  implies  tfiat  for  any  (a,  i ,  ;>€  I X 1  one  of  the  follow¬ 
ing  must  hold: 

o[..i]^//»o(X)  (B.1.1) 

For  all /c,  i<k^j:  <s[..k]HpoQ,)  (B.1.2) 

where //>o(X):  (ot(X)=>p  aA)  a  (<tfter(X)=^q '^-tA) 

We  consider  two  cases. 

Casel:  Assume  (a,  J,y>€|[DA  J.  According  to  definition  (4.6),  is  in 

([□A-^  {pl  X:[x:=£]  {^)]1. 

Case  2:  Assume  (a,  i,  ;>€  I OA  I.  According  to  the  definition  of  I  DA  J: 

ForaUik,  i^k^j:  o[..ik]NA  (B.1.3) 

It  suffices  to  prove  that  if  (B.1.1)  holds  or  (B.1.2)  holds,  then 
<a,i,y>€l[nA (p)  X:[x:=£;]  {^IJ. 

Case  2.1:  Assume  (B.1.1)  holds.  Thus 

o[..i]N  ((ar(X)  A  (-ip  v-iA))  V  {cfterQ^  a  {->q  a  A))) 
holds.  Conjoining  (B.1.3),  we  conclude 

a[..i  ]N  ((<w(X)  A  -ip)  V  {ftfterQ:)  a  -i  q)) 

which  implies  a[.,i]¥=(<w(X)=^p) A(<|^er(X)=>^).  Because  (p)  X:[x;=£]  [q]  is  self 
consistent,  by  definition  (4.4)  we  have  that  <o,  i,  y>e  I  {p )  X:  [x  :=  E]  {^ }  1  holds.  Hence, 
by  definition  (4.6)  of  the  property  defined  by  a  constrained  proof  outline, 
<o,  I ,  y)e  I  DA  ->  {p }  X:  [x  :=  E]  {^ )  1  holds. 

Case  2.2:  Assume  (B.1.2)  holds.  Conjoining  (B.1.3),  we  conclude 

For  all  )t,  i<k<j:  o[..*]N  ((ar(X):^p)  a  {fjfierQ^=^q)). 

Because  [p]  X:[x:=£]  [q]  is  self  consistent,  by  definition  (4.4)  we  have  that 
(a,i,;>€|[  {p}  X:[x:=£]  {^)]1  holds,  so  by  definition  (4.6) 

(o,  I ,  ;■>€  II  DA  -4  {p }  X:  [x  :=  £]  (^ }  1  holds  as  well.  □ 
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T 


Lemma  (Soundness  of  Cnstr-SeqComp):  The  rule 

Cnstr-SeqComp:  DA -»PO(Xi),  DA 

(A  A  postO^x ))  =*  preO^) 

□A  [pre(^i)]  X:  [PO(Xi);  PO(X2)]  [postO^)) 

is  sound. 

Proof.  Assume  that  the  hypotheses  are  valid.  Therefore,  we  have  that  PO(k\)  is  self  consistent, 
PO(X2)  is  self  consistent,  and: 


lXiBc(IPO(Xi)Bu|inA  B) 

(B.2.1) 

|[X2Bc(|[PO(X2)BuinA  B) 

(B.2.2) 

(A  A  posf(Xi ))  preO^) 

(B.2.3) 

To  establish  validity  of  the  nile’s  conclusion,  we  must  prove  that  [X]  c  IDA  PO(X)},  where 
PO(X)is  {pre(Xi)}  X:  [PQ(Xi);  POQuz)!  IpostCk^)}.  We  do  this  by  proving  <o,  ».;>€  I Xl  implies 
<o,  i.  J)e  |[  PO(K)  lul  DA  ]),  where,  according  to  definition  (4.3)  of  //>o(X).  we  have: 

A  IpoM  A  (ai(X)  =^pre(Xi))  a  (qfrer(X)  =^postO^)) 

Let  <o,  i,  j>€  I X I  hold.  We  consider  two  cases. 

Casel:  Assume  (a,  i,y)€linA  J.  According  to  definition  (4.6)  of  a  constrained  proof  outline, 
(o,  /.  J)€  II  DA  ^  PO(K)  B  holds. 

Case  2:  Assume  (o,  i,  j)e  H  DA  J.  In  order  to  conclude  (o,  i,  y )€  J  DA  ->  PO(X)  J  holds,  we  must 
show  that  (a,  i,y)€|[PO(X)]|  holds.  According  to  the  definition  of  sequential  composition 
H  X:  [X] ;  X2]  B.  there  are  three  cases: 

(2.1)  ForallX,  o[ik]l^(//i(X2)vq^r(X2))  and  <o,j,y)€  ffXi  J. 

(2.2)  For  all  k,  i ^k^j:  o[ik]i^(m(Xi)  v  q^cr(Xi))  and  (o,  i,  ;>  e  H  X2  B- 

(2.3)  Exists  n,i<n^j:  (o,  t ,  n) e  J Xi  B  and 

(o.rt,7)€  IIX2B  and 

o[n]h((0er(Ki)  A.  atOvi))  and 

for  all  X,  1  <n:  o[ik]fc^(/n(X2)  v  cfier(Ki))  and 

for  all  it,  n  <k^i:  o[it]l^(m(Xi)  v  (tfter(K\)) 

Case  2.1:  Assume  that  for  all  it,  i^k<j:  o[it]l^(m(X2)  v  ctfterQuj))  and  (o,  j,7>e  iXi  B 
hold.  According  to  (B.2.1),  (o,  i,;>€(IPO(Xi)lu|[aA  J).  Given  assumption  (of  Case  2) 
(o,  I,  j)e  I  DA  B.  we  conclude  (a,  i,  />€  |[P<?(Xi)  B-  Thus,  by  definition  (4.4)  of  |[P<9(Xi)B, 
we  have  that  either  o[../]W/»o(x,)  or  else  forallt,  o[..^]N//>o(x,).  Since 

at(k\)=ctt(K)  due  to  Control  Predicate  Axiom  CP4(a)  of  Appendix  A  and  pre(K)  is  prc(Xi), 
we  conclude  that  either 

o[../]Dt(//>0(X,)  A(ar(X)=>prc(Xi)))  or  else  (B.2.5) 
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for  all  it,  1  ^ j:  a[..k]^Ipoo^)  a  => pre(^i )). 


(B.2.6) 


Frcmi  assumption  (of  Case  2.1)  for  all /t,  a[il]t^(m(X2)  v^«r(X2)).  vve  con¬ 

clude  that  for  all  A:,  i^k^j:  aUk]Mpo()it)‘  And,  because  £?^er(X2)=<?^er(A,)  due  to  Control 
Predicate  Axiom  CP4(c)  of  Aj^^endix  A,  we  have 
for  all  it,  i^k^j:  o[..ii:)^=(/po(x,)  a  (ctfter(}0=>post(k2))).  Conjoining  this  with  (B.2.5)  and 
(B.2.6)  we  get  that  either  a[..i]l^//>o(X)  or  else  for  all  k,  iikij:  a[..k]^Ipooi)  Isolds.  Since 
PO(k)  is  self  consistent  (because  (A  a. post(ki))  => pre(^)  and  both  PO(ii)  and  POQ^i) 
are  self  consistent),  we  have  (a,  i,  j)e  [  POQC)  ]|.  Thus,  by  definition  (4.6)  we  conclude  that 
(o,i,7)€inA -»PO(X)l. 

Case2J2:  Assume  for  all  A:,  i^k^j:  q[ifc]^(rn(Xi)  v  {tfter(Ki))  aiKl  {a,i,j)e  [X.2]  hold. 
According  to  (B.2.2),  <o,  i,y)€([Pt7(X2)lIu[DA]).  Given  assumption  (of  Case  2) 
{o,  i,  y)€  I  DA  1,  we  conclude  <o,  i,  j)e  IPO(>^)  1.  Thus,  by  definition  (4.4)  of  I POQ^)  1, 
we  have  that  either  o[..i]ls^//>o(X,)  or  else  forallA:,  G[.-k]^Ipo()ct)-  Since 

<tfierO^)=cfter(iC)  due  to  Control  Predicate  Axiom  CP4(c)  of  Appendix  A,  we  conclude  that 
either 

o[..r]^(//>0(^)  A(<i^er(X)=»posr^)))  or  else  (B.2.7) 

forall^, a[..k]^hoo^)^Utf^^O^^POstO^)\  (B.2.8) 

From  assumption  (of  Case  2.2)  for  all  it,  i^k^j:  o[A:)t^(m(\i)  vr?fircr(A.i))  we  con¬ 
clude  that  for  all  it,  ii£k^j:  o(..it]N/fO(x,)-  And,  because  at(k\)-at(K)  due  to  Control 
Predicate  Axiom  CP4(a)  of  Afqrendix  A,  we  have 
for  all  A;,  i^k^j:  o[..A:]N(/;.0(x„)  A(ar(X)=>pre(Xi))).  Conjoining  fliis  with  (B.2.7)  and 
(B.2.8)  we  get  o[..i]Wi.o(X)  or  else  forallit.i^it^y:  o[..it]N/;»o(X)  holds.  Since  PO(K)  is 
self  consistent  (because  (A  post(Kiy)  => preQ^)  and  both  PO(^i)  and  POCKz)  are  self 
consistent),  we  have  <o,  i,y)e([PG(X)B.  Thus,  by  definition  (4.6)  we  conclude  that 

<a,i,y>€|[nA  -)P(7(^)]1. 

Case  2,3;  Assume  that  there  exists  n,  i  <  j,  sudi  that: 


<o,i,n)e  I 

(B.2.9) 

<o,  «,;■>€  llXal 

(B.2.10) 

o[n]\=icfierO^\)  a  atQvz)) 

(B.2.11) 

forallA:,  l^A:<n:  a[k]\^(in(^)  (rfter(Ki)) 

(B.2.12) 

for  all  A:,  n  <k^i:  o[A:]^(m(Xi)  v  <^er(Xi)) 

(B.2.13) 

Ii  a[. then,  by  definition,  (o,  i,y)€lPO(X)]|.  By  definition  (4.6),  we  con¬ 
clude  that  ;o,  I ,  y>e  I  DA  -» PO(X)  J. 

Now  sui^se  a[J]Mpo(^)  holds. 

First  observe  that  due  to  Control  Predicate  Axiom  CP4(a)  and  CP4(c)  of 
Appendix  A  we  have  a/(X)=<K(Xi)  and  (rfterQ^=<tfterO^).  Therefore,  choosing 
pre(k\)  for pre(K)  and  choosing posr(X2)  for post(k)  we  have: 
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lpo(M  ~  (^/*0(3L|) (B.2. 14) 

^PO(X,)  ~  (JpoQi^)  (B.2.15) 

Because  //»o(X)  implies  ho(M>  holds.  From  (B.2.9)  and  (B.2.1) 

we  have  <a.  i,  n>€fO/l -*F(3(ii)l.  Given  the  assumption  (of  Case  2)  that 
<o,  i.  y>6  ff  HA  1  we  conclude  that  <o.  i,  rt>e  I/»0(Xi)  1. 

From  <o,  i,  n>€  IFG(Xi)]]  and  assumption  (above)  o[..i]>»//>o(x,)  we  have: 

For  dUk.i^k  in:  o[.Jt]^lpoOi,)  (B.2.16) 

By  narrowing  the  range,  we  get: 

Forallik.t^jk<n:  o[..i]N/po(x,) 

And,  from  (B.2,14)  we  get 

For  all  k,  i ik<n:  a[.Jc]^hoM  (oK^)  =^P''«(^i)) 

According  to  (B.2.12),  IpoM  is  trivially  true  in  states  o(..ik]  where  i ik  <n.  More¬ 
over,  from  (B,2.15).  Ipo(M  a  (<?fl»r(X)  =>posr(X2))  is  also  tnie  in  those  states: 

For  all  k,  i ik<n:  a[.Jc]Hho(ki)  a  (flt(X)  =>pre(Xi))  a 

/po{X,)  A  {(fier(k)  =>post(^))) 

Equivalently,  we  have  for  all  A:,  i‘  <  n :  o[..*)l=/|>o(X). 

From  (B.2.16),  again  by  narrowing  the  range,  we  conclude  a[..n]Hpo(ii,).  By 
definition,  /po(X,)  implies  (rfteriXi)=>post(^i),  so  by  conjoining  (B.2.11),  we  infer 

o[..«]Nfpo(x,)  A  qffcKXi)  Aposr(Xi)  a  atQ^) 

And,  because  of  the  assumption  (Case  2)  that  (o,  i,  y>€  ([DA  1,  we  have  o[..«]M. 
Thus  we  conclude: 

o[..n]M  A  Ipo(M  A  (^er(Ki)  a  posf(Xi)  a  atQ^) 

Using  (B.2.3)  we  get: 

o[../i]N/fO(3t,)  A  qfirer(X.i)  A post(^i)  a  atO^z)  a preO^a) 

POQ^)  is  self  consistent,  so  atQvi)  a  preQ^)  implies  Ipo(Ki) 

0[..«]N/po(;i^)  A  IpoQ^) 

Using  (B.2.14)  and  (B.2.15),  we  get 

o[../i]i=/po(X.)  A  (a/(X)=>prc(Xi))  a  lpo(M  a  WterQ:)  =>post(Kz))) 
or  equivalently  o[..n]N/po(X). 

From  (B.2.10)  and  (B.2.1)  we  have  (o, n,J)elDA  -*PO(Xz)l.  Given  the 
assumption  (of  Case  2)  that  (o,  i,  j>€|[nA  1  we  conclude  that 
<o,n,;>eI[PO(X2)l. 

From  (o,  n,  J)e  IPOO^)  ]  and  o[..n]l=/;>0(X)  we  have: 
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For  all  k,  n^k^j:  ol..tl^=//'0(X,) 

And,  from  (B.2.15)  wc  get 

Fbr  all  A.  /I ^k^J:  a[.Ji]*^hoM  a  (erfter(k)  =^post(}^)) 

According  to  (B.2.13).  IpoM trivially  true  in  traces  o[..*]  where  n^k^j.  More¬ 
over.  from  (B.2.14),  IpoM  A  (at(X)=>pre(XO)  is  also  true  in  those  traces: 

Fbr  aU  k,  n^k^j:  al.k]Hho(K,)  =>preCKi))  ^ 

ho(K)  iefier(K)=^postO^))), 

or  equivalently  for  all  ik.  n  ^k^j:  o[..k]^Ipoo^)- 

Having  proved  forall*,iSik<n:  and 

for  all  A:,  o[..A:l^*/|»o^)  we  conclude  for  all*,  This 

means  that  <o,  i,  j)€  [  DA  ->  PO(X)  1  holds.  □ 
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Lemma  (Soundness  of  Cnstr-ParComp):  The  nile 

□>4 0^4 ->  POCXj), 

OA  -» PO(^i)  and  ->  PO(}>a)  are  interference  ftee 

□A  -»  {pre(Xi)  A  pre(kj2)]  X:  [  PO(k\)  1 1  PO(Ki)\  [post(Ki)A  postO^)) 


is  sound. 

Proof.  Assume  that  the  three  hypotheses  are  valid.  Therefore,  we  have  that  P(?(Xi)  is  self  con¬ 


sistent,  PO(Ki)  is  self  consistent,  and: 

iXj  1  c  (IPOCXOBuiaJl)  (B.3.1) 

I  Xj  1  c  (I  POCKi)  Jufnll)  (B.3.2) 

For  all  Xa  e  Assig(X\ ).  where  Xa  is  the  assignment  X^:  [x  :=  £]:  (B.3.3) 

tt  Xa  I  C  (I  (<W(Xa)  A  lpo(M  A  fpotXj))  Xai  [x  E]  {ho(^) )  I’-'I  ^A  I) 

For  all  X«i  €  Ajsig(X2).  where  X^  is  the  assigiunent  Xo:  [x  £]:  (B.3.4) 

I  Xa  I C  (I  {<«(Xo)  A  ho(M  A  f/»o(X,))  Xa:  [x  :=  E]  [hoo^) )  I'-'I  OA  I) 


To  establish  validity  of  the  rule’s  conclusion,  we  must  prove  that  IXI  c  IDA  ->/*0(X)l,  where 
P(?(X)  is  {pre(Xi)  Apre(X2)J  X:[PO(ki)  H  PO(Ki)]  {post(}.x)ApostiXi)}.  We  do  this  by  prov¬ 
ing  <o,  J ,  ;>€  I X 1  implies  <o,  /,  ;>€  I POQC)  luf  DA  1). 

Let  <o,  j ,  J>€  tt  X  B  hold. 

Casel:  Assume  <o, /,;)€( DAB-  According  to  definition  (4.6)  of  a  constrained  proof  outline. 
<o,  I,  y>€  tt  DA  ->  PO(K)  B  holds. 

Case  2:  Assume  <o,  r,  y)e  |[  DA  B-  In  order  to  conclude  <o,  r ,  ;>€  [  DA  ->  POQC)  B  holds,  we  must 
show  that  <o,  i,  j)€  I POQ.)  B  holds.  We  consider  two  cases. 

Case  2.1:  Assume  o[..r]l^/fO(X)-  According  to  definition  (4.4)  of  the  property  defined  by 
PO(K),  we  conclude  <o,  i,  y)€  ttP^?(X)B  holds. 

Case  2.2:  Assume  o[..r]N/TO(>.).  We  prove 

For  all  k,  i  £k^J:  o[..ik  ]^=/fo(X) 

by  induction.  This  establishes  that  (o.  t.7)€ttP0(X)B  holds,  due  to  definition  (4.4)  of  die 
property  defined  by  F(?(X). 

For  the  induction  hypothesis  we  use 

P(h):  i^h  A  ^  fox 2ilk,i^k<h:  o[..X]N/;>0(;^)) 

Base  Case:  Prove  P(i).  P(0  holds  because  it  is  implied  by  the  assumption  of  (this)  Case 

2.2. 

Induction  Case:  Prove  P(A)=^P(/i-H).  We  assume  that  F(A)  holds  and  prove  P(A+1).  If 
j^h  then  Pih+l)  is  trivially  valid,  so  P{h)=^P(.h+\)  is  proved.  We  now  consider  the  case 
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where  h  <  J. 

According  to  the  definition  (4.2)  of  I  X,l.  we  have  (a[Al,  o[A+l])€/f  v;  (x  :-£]  for  some 
X'e(Awrg(Xi)uAwig(X2)).  Without  loss  of  generality,  suRWse  X'eAKjg(Xi)  holds.  Thus, 
we  have  <a.  A,  A+ 1>€  |  VI  and  <o.  A,  A+ 1>€  | Xj  J. 

Given  assumption  (a.  i,y)e[OAl  of  (this)  Case  2  and  (B.3.1).  we  conclude 
<o.  A,  A+l>€l/*0(Xi)l  holds.  From  assumptions  P(h)  and  h<j  we  have  o[.Ji]N/^o(3t)- 
Thus,  o[..A]N‘/|io(X,)  because  /«>(X)  implies  Ipoo^)  by  definition: 

f/»o(X)'  ff»o(X,)  A /«)(X*) (B.3.5) 
(ar(X)  =>  (pre^i )  a  pre(ka))  a 
(qfteti}.)  =*  (post(Xi)  a  postO^)) 

Since  o(..A]N/;io(X,).  according  to  definition  (4.4)  of  I/*0(Xi)I  we  have  that 
forallkj^k^j  G[..k]^ho(M  holds,  because  we  know  (o. i,y>€[/*0(Xi)l.  And.  since 
t^A<y  we  conclude 

a[..h+l]Mpoo^)-  (B.3.6) 

Given  (o.  A.  A  -f  l)e  [  X'  J,  we  conclude  fn»n  (B.3.3)  that; 

(o,A,A+1)€(|I{<w(X') a//*o^) A/fO(X,)}  X'  {//>o(x,) ) lul DA  1) 

Thus,  from  the  assumption  (o,  i,j)€  {  DA  1  of  (this)  Case  2,  we  obtain: 

<o,A,A+l>€l {ar(X') a/«)(x,) a/^0(X,)}  X'  {/|>o(x,))l  (B.3.7) 

From  assumptions  P(h)  and  A  <;  we  have  o[..A]l“//>o(X)  so,  from  (B.3.5),  we  conclude 

c[..A]H/>o(X,)  a//>o(3^).  (B.3.8) 

Using  definition  (4.4)  of  the  property  defined  by  a  proof  outline,  we  conclude  from 
(B,3.7)  that  either  o[..h]\^Ipo(K')  o*" 

ForaUA,ASA^A+l  a[..k]Mpo(),')  (B.3.9) 

wdiere 

U0^'(K)=>Jpo(m) 

Definition  (4,1)  and  (a(A],o(A+l])€/?x':ix:.£]  implies  CfIA]Nar(X').  Cbnjoining 
o[A]Nflr(X')  and  (B.3,8)  allows  us  to  rule  out  a[.Jt]^Ipo(y)  so  (B.3.9)  must  hold. 

From  (a[A],  a[A+l])e/?x':  (x  :-cj  and  definition  (4.1),  we  have  o[h+\]^(rfter(X).  We, 
therefore,  conclude  from  (B.3.9)  that 

a[..h+l]i=Ipo(^)  (B.3.10) 

Fmally,  observe  that,  by  construction,  /po(x,)  a  Ipo(M  is  equivalent  to  //>o(X)  defined 
in  (B.3.5).  Thus,  proving  (B.3,6)  and  (B.3.10) — as  we  have — ^suffices  for  proving 
o[..A+l]^=/po(X).  and  P(A+1)  is  proved.  □ 
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Lemma  (Soundness  of  Cnstr-Equiv):  The  nile 


Cnstr-Equiv:  0^4  -♦  PO(k),  A  =*  (Ipo(k.)=lpo'Oi))>  PO'(X)  is  self  consistent 

DA  PO'(k) 


is  sound. 

Proof.  Assume  that  the  three  hypotheses  are  valid.  We  prove  that  the  rule’s  conclusion  is  valid  by 
showing  I X  IcI  DA  -» PO'(X)  B. 

Let  (o,  I ,  y>  6  I X 1.  From  the  validity  of  DA  -4  PO(k),  we  have  I X  IcI  DA  -» POOO  J.  We 
consider  two  cases. 

Case  1:  Assume  <o.  i,  J)e  |[  DA  ].  According  to  definition  (4.6)  for  the  property  defined  by  a  con¬ 
strained  proof  outline,  we  have  (a,  i,  j)e  I  DA  ->  PO'(X)  1- 

Case  2:  Assume  (a.  t .  ;>€  [  DA  ].  This  means 

For  o(..ik]M  (B.4.1) 

Assuming  <c.  r.  ;>€  I  DA  J  also  implies  <o.  i,y>e  I/*0(X)  1,  due  to  definition  (4.6)  of  the  property 
defined  by  a  constrained  proof  outline.  From  definition  (4.4)  of  [PO(X)]i  we  conclude  o[..i]l^/7>o(X) 
or  else  for  a31  k,  i^k^j:  a[..k]Hpo(k.).  By  conjoining  (B.4.1)  with  these,  we  infer 
o[..r]M=(A  A  //>o(X))  or  else  for  all  k,  iS^k^j:  o(..X]l=(A  a  Ipoq^))- 

The  second  hypothesis  of  Qistr-Equiv  implies  that  A  a  /p^fX)  equals  A  a  /po'p.)-  Thus,  we  con¬ 
clude  o[..r ]I^(A  A  /m'(X))  or  else  for  all  k,  i ^kij:  ot.Jk ]H(A  a  Ipo'p,))  must  hold.  Given  (B.4. 1),  if 
o[..r]J^(A  a//>o'(X))  holds  then  o[..r)l^/j»o'(X)  must.  And,  in  that  case,  (o,  J,y>€lPO'(X)])  according 
to  definition  (4.4)  t^lied  to  SPO'(X)  ]  because,  by  hypothesis,  PO'(X)  is  self  consistent.  In  the  case 
where  for  all  X,  o[..ife]N(A  a /^o'(X))  holds,  we  conclude  that  for  all  a[..*]N//>o'(X) 

must  hold,  because  (A  f^lpo’(X))=^ho'0<y  Again,  (o,  i.  ;>€  I  PO'(X)  1  according  to  definition  (4.4) 
applied  to  |[  PO'(K)  1  because,  by  hypothesis,  PO'(K)  is  self  consistent 

Having  proved  <o,  r,y>eIPO'(X)l,  we  conclude  (o,  i,y)€inA ->PO'(X)J  based  on 
definition  (4.6)  for  the  property  defined  by  a  constrained  proof  outline.  □ 
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Lemma  (Relative  Completeness  of  Cnstr-Assig):  The  rule 


Cnstr-Assig:  {p  a  A }  X:  [x  :=£]  v  -,A } 

DA  [p]  X:  [x  :=E]  {q] 


is  relatively  com{dete. 

Proof.  Assume  that  conclusion  DA  {p)  X:  [x  :=£]  {q)  is  valid.  We  stmw  that  hypothesis 
(PaA)  X:[x;=£]  {^v-nA}  is  valid  as  well,  by  showing  that  if  <o, i,y>€|[X]l  holds,  then 
(o,  i.  y)e  II  {p  A  A }  X:  [x  :=  E]  [q  v  -i  A }  J  holds. 

Let  <a.  »■ .  7>e  I X 1  hold.  We  consider  two  cases. 

Case  1:  Assume  <o.  i.  »€  I  DA  1.  According  to  the  definition  of  I  DA  J: 

For  all*,  o[..*]M  (B.5.1) 

Using  this  and  the  assumption  that  DA  ^  {/>}  X:[x:=£]  [q]  is  valid,  we  conclude  that 
(o.  I .  y>e  I  PO(X)  B  and  due  to  (4.4)  one  of  the  following  holds: 

o(..i]^//>o(X)  (B.5.2) 

for  all*.  i^k<j:  o[..*]N/po(X)  (B.5.3) 

where  lpo(j,):  (at(X)=^p)  a  (_(tfter(K)=t^q) 

It  suffices  to  prove  that  if  (B.5.2)  holds  or  (B.5.3)  holds.  then 
<o.L;>€|I{p  aA)  X:(x:=£]  {^v-iAJB. 

Case  1.1:  Assume  (B.5.2)  holds.  Thus,  oI..i]l^((a/(X)=»p)  a  ((£?^er(X)=><7)  holds.  Given 
(B.5.1),  this  implies  ot..i]N((a/(X)A(-ip  v-,A))v(<^er(X)A(-.9  aA))  holds.  This 
means  o[..i]fe^((a/(X)=>p  aA)  A(t?^er(X)=^9  v-,A),  holds  so,  by  definition, 
(o,  i,y>€j  {p  A  A)  X:[x:=E]  v-iA)  J  holds. 

Case  1.2:  Assume  (B.5.3)  holds.  Given  (B.5.1),  this  implies  that 

forall*,  i<k^j:  o[..*]^=  ((fl/(X)=>p  aA)  A(t^cr(X)=>^  v-iA)) 

holds.  Thus,  by  definition,  (o,  j ,  y)e  I  {p  a  A }  X:  [x  :=  £]  v  -i  A }  B  holds. 

Case  2:  Assume  <a.  i,j)e  I  DA  B-  According  to  the  definition  of  I  DA  B: 

Exists*,  i<k^j:  o[..*]N-iA  (B.5.4) 

We  consider  three  cases,  according  to  the  definition  of  IXB  given  in  (4.2).  Since 
{p  A  A )  X:  [x  :=  £]  v  —,A }  is  self  consistent,  it  suffices  to  prove  that 
(o,  j ,  y)e  II  {p  A  A }  X:[x:=£]  v -,A )  B  holds. 

Case  2.1:  Assume  j=i  and  oI..i]Nat(X)  A-iqfrer(^).  By  (B.5.4),  we  conclude 

a[..i]^(ar(X)  =>p  a  A),  so  oI..i]fc^((<«(X)  =^p  a  A)  a  (,qfter(K)=^q  v  -i  A)).  Thus,  by 
definition,  (o,  i,  y)€  I  {p  a  A )  X:  lx  :=  £]  {q  v  -i A }  B  holds. 

Case  22:  Assume  j=i  and  a[..i]^~,at(K)  AqfteiiX).  By  (B.5.4),  we  conclude 

ol..i]N(^rer(X)=^^  v-iA),  so  ol..i]N((flt(X)=>p  /\A)/\{(rfter(K)=i>q  v-.A)).  Since  i=j 
holds,  so  does 

forall  *,  i^k^j:  oI..*l^((flr(X)=^p  a  A)  a  {cfter(K)=>q  v  -lA)). 
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Thus,  by  dehnition,  <o.  i,  j)el[p  a, A]  X:  [x  ;=  E]  [q  v -,A )  ]  holds. 

Case  23:  Assume  j-i+1  and  o[..j]Na/(X)  a-io^cKX).  If  cf[..j]N(-ip  v -lA)  then 
o[../]M=((a/(X)  =>p  A  A)  A  (c^er(K)=>q  v  -,A))  and,  by  definition. 

<o,  I,  y>e  I  {p  A  A }  A,:  [x  :=  E]  [q  v  -^A }  J  holds.  If,  on  the  other  hand.  a[..i]f=(p  a  A), 
then  we  conclude  from  j -i + 1  and  (B.5.4)  that  o[..y]l=(^  v  A)  holds,  so 

for  all  it,  i<k^j:  o[../:]t=((a/(X)=>p  a  A)  a  (qfter{X)=^q  v  -lA)) 

also  holds.  Again,<o,  i,y>€|I{p  aA}  X:[jt:=£]  v -lA }  1  holds.  □ 


Lemma  (Relative  Completeness  of  Cnstr-SeqComp>:  Assume  that  all  valid  constrained  proof  out¬ 
lines  DA*  —*  PO*(Ki)  and  DA*  PO*(k2)  are  provable,  and  assume  that  all  valid  predicate  logic 
formulas  are  provable.  Then 

□A->{p}  X.[PO{Xx)\POih)]  [q]  (B.6.1) 

is  provable  if  valid. 

Proof.  Assume  (B.6.1)  is  valid.  Let 

□A  ->  {/)  X:  [PO'(Xi);  PO\X2)\  {/)  (B.6.2) 

be  a  proof  outline  for  X;  [Xi ;  X2]  in  which  every  assertion  in  PO'(K\ )  and  PO'Quz)  is 
f :  hoM  A  Ipoo^)  A  (a/(X)  =*p)  a  (t^erQ.)  =>  q). 

Observe  that  (B.6.2)  is  valid  by  Cnstr-Equiv  because  the  proof  outline  invariant  for  (B.6.1)  equals  I 
and  (B.6.1)  is  valid. 

We  show  below  that 

□A  -»  {/)  PO'(Xi)  {/}  (B.6.3) 

□A  -4  {/}  POXXr)  {/)  (B.6.4) 

are  both  valid.  This  implies  that  (B.6.3)  and  (B.6.4)  are  provable  by  the  assumptions  of  this  lemma 
By  constraction,  post(^i)  and  preO^)  in  (B.6.2)  are  both  /,  so  A  a post(K\)^preO^)  is  valid  and, 
by  the  lemma’s  assumption,  provable.  The  three  hypotheses  needed  for  using  Cnstr-SeqComp  to 
deduce  (B.6.2)  are  now  discharged.  We  can  thus  use  Qistr-Equiv  to  deduce  (B.6.1) 

We  prove  that  (B.6.3)  is  valid  by  showing  that  fXi  J  c  lin/i  ->  {/)  PO'(K\)  {/}  1  holds.  Let 
<0,  i,  y)e  1[ Xi  J  hold.  This  means  that  (o,  i,j)e  I Xj  holds  as  well.  We  conclude 

<0,  i,  J) e  II  DA  ^  {/ )  X:  [PO'Cki);  PO'iXz)]  {/ )  1  (B.6.5) 

because  (B.6.2)  was  proved  valid  above. 

Case  1:  Assume  (a,  i,  J)^  I  DA  1.  According  to  definition  (4.6)  for  the  property  defined  by  a  con¬ 
strained  proof  outline,  we  have  (o,  i,  j)e  I  DA  -4  {/ )  PO'(ki)  {/ )  J. 

Case  2:  Assume  <0,  {,;)« UDA  |.  This  assumption  and  (B.6.5)  imply 

<0.  i,  j)e  I  {/}  X:  [PO'(X,);  PO'Q^)]  {/}  J. 

The  proof  outline  invariant  for  (B.62)  is 

I':  A  ((flr(X')=>/)A(q/'reKX')=>0)  (B.6.6) 

Ve  Lab(}.) 

where  cp  ranges  over  the  control  predicates  of  X.  From  definition  (4.4)  of  ffFt?(X)  J  we  infer  that 
or  else  for  all  X,  i  ^k<J:  o[..X]N/'. 

Case  2.1:  Assume  o[..j]^/'.  Thus,  by  definition,  o[..i]N-,/'  holds.  According  to 

definition  (B.6.6)  for  /',  we  conclude  a(..i]l=((  v  cp)  a-i/)  holds,  which  implies  that 

cp 

o[..j]l^/  holds.  By  definition  (4.4)  of  IFO(Xi)]l,  we  conclude 
(o,  i,  ;)e  I  {/}  FO'(Xi)  {f  1 1-  And,  according  to  definition  (4.6)  for  the  property  defined  by 
a  constrained  proof  outline,  we  have  <0,  i,y)e  I  DA  -4  {/}  PO'(k\)  {/)  B. 


-36- 


CaselJS:  Assume  forallA:,  j<il:<7:  Since  <o,  J  we  have 

for  all  k,  i^k^j:  o[..ik]l=(i/i(Xi)  v  By  construction  (/'  a  (in(Xi)  v  (tfter<X\)))=>I 

is  valid.  So  we  infer  that  for  all  it,  i  o[..it]N/.  /  implies //>o(x,)>  and  this  allows  us  to 

conclude  for  all  it,  i^k<Lj:  cj[..ik]^=//»o(x,).  Thus,  by  definition  (4.4)  of  I/’0(Xi)l,  we  con¬ 
clude  <o,  i,j)€  I  {/}  PO'(Ki)  {/)  J.  According  to  definition  (4.6)  for  the  property  defined 
by  a  constrained  proof  outline,  we  conclude  (a,  i,  J)e  I OA  -» {/}  PO'(}.i)  {/}  1. 

A  similar  argument  establishes  that  (B  .6.4)  is  valid.  □ 
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Lemma  (Relative  Completeness  of  Cnstr-ParComp);  Assume  that  all  valid  constrained  proof  out¬ 
lines  DA*  ->PO*(A,i)  and  DA*  -iPO'Ovi)  are  provable,  and  assume  that  all  valid  constrained 
proof  outlines  involving  the  individual  assignment  statements  in  Xi  and  X2  are  provable.  Then 

□A  ->  {pre(k\)A preCko,)]  K:  [POCXi)  //  POQ^)]  [postiX])  a post(Ki)]  (B.7.1) 

is  provable  if  valid. 

Proof.  Assume  (B.7.1)  is  valid.  Let 

□A  ->  {/}  X:  [PO'(Xi)  //  POXX2)]  {/)  (B.7.2) 

be  a  proof  outline  for  X:  [Xi  /  /  X2]  in  which  every  assertion  in  PO'(Xi )  and  PO'(Kz)  is 

ho(M  ^  ho(M  a  (nr(X)  =>  (prc(Xi )  a preQ^)))  a  (.ctfter(k)  =>  (post(Xi )  a  postCKz))). 

Observe  that  (B.7.2)  is  valid  by  Cnstr-Equiv,  because  the  proof  outline  invariant  for  (B.7.1)  equals  / 
and  (B.7.1)  is  valid. 

We  show  below  that 

□A  ->  {/)  POUi)  {/}  (B.7.3) 

□A  -4  {/}  POXXi)  {/}  (B.7.4) 

are  both  valid.  This  implies  that  (B.7.3)  and  (B.7.4)  are  provable  by  the  assumptions  of  this  lemma. 
We  also  show: 

For  all  Xa  6  AssigO^z),  where  Xa  is  the  assignment  Xa-  [x  :=  £]:  (B.7,5) 

□A -» {<jr(X)  a//»o(x,)  a//>o(x,)}  Xa:[x:=£]  {//>o(x,)} 

is  valid. 

For  all  Xa  e  AssigCXi ),  where  X®  is  the  assignment  Xa:  [oc  :=  £]:  (B.7.6) 

□A  {nr(X)  a//>o(x,)  a/po(x,)}  hi'-  [Jc  -=E] 

is  valid. 

By  the  lemma’s  assumption,  interference-freedom  obligations  (B.7.4)  and  (B.7.S)  are  thus  provable. 
The  three  hypotheses  needed  for  using  Cnstr-ParComp  to  deduce  (B.7.2)  are  now  discharged.  We 
can  thus  use  Cnstr-Equiv  to  deduce  (B.7.1). 

We  prove  that  (B.7.3)  is  valid  by  showing  that  jXi  I  c  IDA  ->  {/}  PO'(Xi)  {/}  ]]  holds.  Let 
(a,  i,  j)e  [[  Xi  I  hold.  This  means  that  <0,  i,  y>e  |[  X]|  holds  as  well.  We  conclude 

(a,  i,  j)  e  |[  DA  ^  {/ }  X:  [POXXi )  /  /  PO'O^)]  {/ )  I  (B.7.7) 

because  (B.7.2)  was  proved  valid  above. 

Case  1:  Assume  (o,  i ,  y)€  |[  DA  J.  According  to  definition  (4.6)  for  the  property  defined  by  a  con¬ 
strained  proof  outline,  we  have  (o,  i,  y>e  |[  DA  ->  {/)  PO'(X\)  {/)  ]]. 

Case 2:  Assume  <0,  j,y>«  [[DA  J.  This  assumption  and  (B.7.7)  imply 

<0,  r,y)6  I  [I]  X:  IPO'iXi)-  POXXz)]  {/)  1. 
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The  proof  outline  invariant  for  (B.7.2)  is 

/':  A(cp=>/).  (B.7.8) 

V 

where  cp  ranges  over  the  control  predicates  of  X.  From  defir'’*ion  (4,4)  of  1[/*0(X)1  we  infer  that 
o[..j  ]k^/'  or  else  for  all  ik.  i  ^k^j:  o[..ik]N/'. 

Case 2.1:  Assume  Thus,  by  definition,  o[..i]N-,/'  holds.  According  to 

definition  (B.7.8)  for  we  conclude  o[..i]^((  v  cp)  a -•/)  holds,  which  implies  fliat 

ep 

o[../]t^/  holds.  By  definition  (4.4)  of  IFO(Xi)l,  we  conclude 
<o,  j ,  y>€  I  {/}  PO'(Ki ){/)!.  And,  according  to  definition  (4.6)  for  the  property  defined  by 
a  constrained  proof  outline,  we  have  <o,  i,  j)e  [  DA  ->  {/ }  PO'(Xi)  {/ }  I. 

Case  2.2:  Assume  forall  Jk,  o[.Jk]^/'.  Since  (o,  j,y)€|[Xi  I  we  have 

for  all  ik,  i^k^j:  a[..k]h(in(Xi)  v  By  construction  (/'  a  (w(Xi)  v  (rfter(K\)))=>I 

is  valid.  So  we  infer  that  for  all  k,  i^k^j:  o(../k]N/.  I  implies  hoQ.^)>  and  this  allows  us  to 
conclude  for  all  ik,  i^ik^;:  o[..ik]M/po(X,)-  Thus,  by  definition  (4.4)  of  I/*0(Xi)I,  we  con¬ 
clude  (o,  /,y>€|[  (f)  PO'0<.{)  {/}  3.  According  to  definition  (4.6)  for  the  property  defined 
by  a  constrained  proof  outline,  we  conclude  <o,  i,  ))€  ff  DA  -» {/ )  PO’(X\  ){/}!• 

A  similar  argument  establishes  that  (B.7.4)  is  valid. 

We  prove  that  (B.7.5)  is  valid  by  showing  that 

|[^  J  C  IDA -» {flt(^)  A/poot,)  a//>o(x,)}  Xot:[j::=£]  {/;>o(x,)}l 
holds  for  all  Xa  e  Assig(k\ ),  where  is  an  assignment  Xa.'-  U  :=  E]. 

For  arbitrary  X®,  let  <o,  i,7>€|[Xa3  hold.  This  means  that  <o,  r,;>e|rA,l  holds  as  well.  We 
conclude 

<0,  r.;)e  IDA  ^  {/}  X:  [FO'(Xi)  //  PO'(Xi)\  {/}  3  (B.7.9) 

because  (B.7.2)  was  proved  valid  above.  Define 

PO*(Xa):  {a/(X)  A  ho(M  a  ho(M  1  •" } 

Case  1:  Assume  <o,  i,  ;>€  I  DA  3.  According  to  definition  (4.6)  for  the  property  defined  by  a  con¬ 
strained  proof  outline,  we  have  <o,  r ,  ;>€  ff  DA  ->  PD*(^)  3- 

Case 2:  Assume  <o, /,;>«  IDA  3.  This  assumption  and  (B.7.9)  imply 

<o.  i,  j)e  |[  {/}  X:  [PO'(Xi)  //  PO'(h)]  {/)  1. 

The  proof  outline  invariant  for  (B.7.9)  is 

/':  A  ((,at(X')=>I)^iqfteiiX')=>iy)  (B.7.10) 

X'e  LabQi) 

where  cp  ranges  over  the  control  predicates  of  X.  From  definition  (4.4)  of  IIFD(X)3  we  infer  that 
o[..i]¥=/'  or  else  for  all  k,  i<k<j:  o[..A:]N/'. 

Case  2.1:  Assume  o[..r]fe^/'.  Thus,  by  definition,  o[..r]N-,/'  holds.  According  to 

definition  (B.7.8)  for  /',  we  conclude  a[..l]^=((  vcp)  a-i/)  holds,  which  implies  that 

cp 

o[..r]y=/po(;^)  A/fO(Xj)  holds.  By  definition  (4.4)  of  IIFO*(Xa)3.  we  conclude 
<o,  i,y)€lFO*(A.o)3.  And,  according  to  definition  (4,6)  for  the  property  defined  by  a 
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constrained  proof  outline,  we  have  <o,  i,j)e  I  DA  -» PO  *(X«)  J. 

Case  22:  Assume  for  ail  k,  i ^k^J:  o[..ife]N=/'.  Since  <o,  i,  y>e  I[X«  1  holds  we  have 
for  all  k,  i ik^j:  o[..ik]N(ar(Xa)  v  (rfterQ^)). 

By  construction  Q’ (rfteriXa)))=^I  is  valid.  So  we  infer  that 
for  all  4,  cf[..k]^l.  I  implies 

(flt0-a)=^Upo0^i)  A  IpoO^)))  ^i'CfieriKt)=^ho(Xi))  and  this  allows  us  to  conclude 
for  all  4, o[..4]^=/po*(X^).  Thus,  by  definition  (4.4)  of  I/*0*(Xa)l,  we  conclude 
(o,  i,  y)€|[/*<?*(Xa)l|.  Accoiding  to  definition  (4.6)  for  the  property  defined  by  a  con¬ 
strained  proof  outline,  we  conclude  <o,  i,  y)€  [  DA  -» PO*0^a)  B- 

A  similar  argument  establishes  that  (B.7.6)  is  valid.  □ 


Theorem  (Relative  Completeness):  Cnstr-Assig,  Cnstr-SeqComp  and  Const-ParComp  comprise  a 
(relatively)  complete  deductive  system. 

Proof.  The  proof  is  by  structural  induction  on  programs. 

Base  Case:  A  program  consisting  of  a  single  assignment  statement.  This  case  then  follows  by  the 
Relative  Completeness  of  Cnstr-Assig  Lemma. 

Induction  Case:  This  case  then  follows  by  the  Relative  Comideteness  of  Cnstr-SeqComp  and  Rela¬ 
tive  Completeness  of  Cnstr-PaiComp  Lemmas.  □ 
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